Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BANK-STATMENT _xlsx.exe

Overview

General Information

Sample Name:BANK-STATMENT _xlsx.exe
Analysis ID:320625
MD5:debe564cd4c27c02d23c828df27fe27f
SHA1:1b55fba242460cc0a5b38299acaaacf3f54c5e87
SHA256:edafe7e62738e180cb882d93f37d2d306627aef482d6f7a7a06c69198c61cd58
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • BANK-STATMENT _xlsx.exe (PID: 1496 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' MD5: DEBE564CD4C27C02D23C828DF27FE27F)
    • BANK-STATMENT _xlsx.exe (PID: 4500 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' MD5: DEBE564CD4C27C02D23C828DF27FE27F)
      • dw20.exe (PID: 5996 cmdline: dw20.exe -x -s 2264 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7044 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • BANK-STATMENT _xlsx.exe (PID: 3984 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
      • BANK-STATMENT _xlsx.exe (PID: 1900 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
        • BANK-STATMENT _xlsx.exe (PID: 4240 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
          • dw20.exe (PID: 5456 cmdline: dw20.exe -x -s 2304 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • BANK-STATMENT _xlsx.exe (PID: 6452 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
          • BANK-STATMENT _xlsx.exe (PID: 3028 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
            • BANK-STATMENT _xlsx.exe (PID: 1548 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
              • dw20.exe (PID: 5992 cmdline: dw20.exe -x -s 2288 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
              • vbc.exe (PID: 5676 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
              • vbc.exe (PID: 6708 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
            • BANK-STATMENT _xlsx.exe (PID: 2240 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
              • BANK-STATMENT _xlsx.exe (PID: 6984 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                • BANK-STATMENT _xlsx.exe (PID: 6180 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                  • dw20.exe (PID: 5484 cmdline: dw20.exe -x -s 2264 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                • BANK-STATMENT _xlsx.exe (PID: 6188 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                  • BANK-STATMENT _xlsx.exe (PID: 5540 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                    • BANK-STATMENT _xlsx.exe (PID: 5580 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                      • dw20.exe (PID: 6904 cmdline: dw20.exe -x -s 2324 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
                    • BANK-STATMENT _xlsx.exe (PID: 5588 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                      • BANK-STATMENT _xlsx.exe (PID: 6176 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                        • BANK-STATMENT _xlsx.exe (PID: 2864 cmdline: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe MD5: DEBE564CD4C27C02D23C828DF27FE27F)
                        • BANK-STATMENT _xlsx.exe (PID: 4608 cmdline: 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578 MD5: DEBE564CD4C27C02D23C828DF27FE27F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x2674:$hawkstr1: HawkEye Keylogger
    • 0x20ec:$hawkstr2: Dear HawkEye Customers!
    • 0x221e:$hawkstr3: HawkEye Logger Details:
    00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b984:$key: HawkEyeKeylogger
    • 0x7dbb4:$salt: 099u787978786
    • 0x7bfc5:$string1: HawkEye_Keylogger
    • 0x7ce04:$string1: HawkEye_Keylogger
    • 0x7db14:$string1: HawkEye_Keylogger
    • 0x7c39a:$string2: holdermail.txt
    • 0x7c3ba:$string2: holdermail.txt
    • 0x7c2dc:$string3: wallet.dat
    • 0x7c2f4:$string3: wallet.dat
    • 0x7c30a:$string3: wallet.dat
    • 0x7d6d8:$string4: Keylog Records
    • 0x7d9f0:$string4: Keylog Records
    • 0x7dc0c:$string5: do not script -->
    • 0x7b96c:$string6: \pidloc.txt
    • 0x7b9fa:$string7: BSPLIT
    • 0x7ba0a:$string7: BSPLIT
    00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 280 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        25.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7b89c:$key: HawkEyeKeylogger
            • 0x7dacc:$salt: 099u787978786
            • 0x7bedd:$string1: HawkEye_Keylogger
            • 0x7cd1c:$string1: HawkEye_Keylogger
            • 0x7da2c:$string1: HawkEye_Keylogger
            • 0x7c2b2:$string2: holdermail.txt
            • 0x7c2d2:$string2: holdermail.txt
            • 0x7c1f4:$string3: wallet.dat
            • 0x7c20c:$string3: wallet.dat
            • 0x7c222:$string3: wallet.dat
            • 0x7d5f0:$string4: Keylog Records
            • 0x7d908:$string4: Keylog Records
            • 0x7db24:$string5: do not script -->
            • 0x7b884:$string6: \pidloc.txt
            • 0x7b912:$string7: BSPLIT
            • 0x7b922:$string7: BSPLIT
            1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                Click to see the 216 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: vbc.exe.6920.6.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
                Multi AV Scanner detection for submitted fileShow sources
                Source: BANK-STATMENT _xlsx.exeVirustotal: Detection: 40%Perma Link
                Source: BANK-STATMENT _xlsx.exeReversingLabs: Detection: 41%
                Machine Learning detection for sampleShow sources
                Source: BANK-STATMENT _xlsx.exeJoe Sandbox ML: detected
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00408900 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00408900 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.4:49746 -> 166.62.27.57:587
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficTCP traffic: 192.168.2.4:49746 -> 166.62.27.57:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                Source: global trafficTCP traffic: 192.168.2.4:49746 -> 166.62.27.57:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: BANK-STATMENT _xlsx.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 201.75.14.0.in-addr.arpa
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.ak
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: BANK-STATMENT _xlsx.exe, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.comx&
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670079069.0000000005123000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671131128.0000000005127000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com#
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671889636.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsig
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670800155.0000000005106000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comz
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com)
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675887823.000000000512B000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.675857787.000000000512A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676434970.0000000005128000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersS
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676177368.0000000005121000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.682397058.0000000005121000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersno
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.674765089.0000000005121000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.669103284.0000000005122000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669521206.0000000005105000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn7
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnZ
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.669404161.0000000005123000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnrb
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/S
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w7
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Norm
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0nt
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/alny
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/font
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/typo
                Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpEM3LMEM
                Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpHLMEMh
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSyn
                Source: BANK-STATMENT _xlsx.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?prid=190203
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                Source: vbc.exe, 00000007.00000003.704761625.000000000095E000.00000004.00000001.sdmp, vbc.exe, 0000001A.00000003.837983424.00000000009CE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                Source: vbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/?gws_rd=sslvbLMEMh
                Source: BANK-STATMENT _xlsx.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
                Source: vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
                Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0040702E OpenClipboard,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00422A48 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0042308C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00458744 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA,
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665944784.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00454818 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00449408 GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042D6D0 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004397C4 NtdllDefWindowProc_A,GetCapture,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00490159 NtCreateSection,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00454818 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00449408 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0042D6D0 NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_004397C4 NtdllDefWindowProc_A,GetCapture,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0044EEEC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00449408
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040D426
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040D523
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0041D5AE
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00417646
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040D6C4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004429BE
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00446AF4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0046ABFC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463C4D
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463CBE
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040ED03
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463D2F
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00463DC0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0040CF92
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0041AFA6
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048F13D
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_00489976
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004F9017
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004F90A8
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004A227A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_004B028E
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0043C7BC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0044EEEC
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00449408
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 004035B4 appears 62 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 0044BA9D appears 36 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 0040C224 appears 36 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 004066B8 appears 32 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 00403980 appears 74 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 00404344 appears 36 times
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: String function: 00404320 appears 154 times
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: BANK-STATMENT _xlsx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665995495.00000000023A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: OriginalFilename vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exeBinary or memory string: OriginalFileName vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.767713264.0000000002432000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788122211.0000000002340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799067734.00000000022D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000010.00000002.812025899.0000000002260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870211427.0000000002822000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.869457392.00000000022B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882472409.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882825216.00000000007A2000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001F.00000002.892381950.0000000002270000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903544550.00000000026C2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.902870919.0000000002340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmpBinary or memory string: w: %Scannot create INSTEAD OF trigger on table: %SINSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')type='trigger' AND name='%q'no such trigger: %Sno such column: %srows updated_rowid_cannot VACUUM from within a transactioncannot VACUUM - SQL statements in progressATTACH ':memory:' AS vacuum_db;ATTACH '' AS vacuum_db;PRAGMA vacuum_db.synchronous=OFFBEGIN EXCLUSIVE;SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)CREATE VIRTUAL TABLE %TUPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%dname='%q' AND type='table'vtable constructor failed: %svtable constructor did not declare schema: %shidden hiddenno such module: %sNOCASEauto-indextable %s: xBestIndex returned an invalid planat most %d tables in a joincannot use index: %sparser stack overflowset listnear "%T": syntax errortoo many arguments on function %Tqualified table names are not allowed on INSERT, UPDATE, and DELETE statements within triggersthe INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggersthe NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggersinterruptunrecognized token: "%T"temp2011-01-28 17:03:50 ed759d5a9edb3bba5f48f243df47be29e3fe8cd7unable to close due to unfinalised statementsunable to close due to unfinished backup operationunknown errorunable to delete/modify user-function due to active statementsunknown database: %sunable to delete/modify collation sequence due to active statementsno such vfs: %sRTRIMmaindatabase corruption at line %d of [%.10s]misuse at line %d of [%.10s]cannot open file at line %d of [%.10s]\sqlite3.dll\mozsqlite3.dll\nss3.dllsqlite3_opensqlite3_preparesqlite3_stepsqlite3_column_textsqlite3_column_intsqlite3_column_int64sqlite3_finalizesqlite3_closesqlite3_exec\StringFileInfo\\VarFileInfo\Translation%4.4X%4.4X040904E4ProductNameFileDescriptionFileVersionProductVersionCompanyNameInternalNameLegalCopyrightOriginalFileNamelog profile.saveSIsignInvaultcli.dllVaultOpenVaultVaultCloseVaultVaultEnumerateItemsVaultFreeVaultGetInformationVaultG
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912185796.0000000000760000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs BANK-STATMENT _xlsx.exe
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.csBase64 encoded string: 'V9z0MtEfK2EI50ruA/sX5435SES1SZRTR7cTqTnmp3AxYZifJxwgy7QFTKhlmSGx', 'xs2M8HBBKsXOBp/txdt4WH36BZtFcWtpatuDMJkzHUo9RE6HRhBOXZQPez9CEdmS', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@53/29@20/4
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00420114 GetLastError,FormatMessageA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00408ACA GetDiskFreeSpaceA,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004168F4 FindResourceA,LoadResource,SizeofResource,LockResource,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER65F6.tmpJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: BANK-STATMENT _xlsx.exeVirustotal: Detection: 40%
                Source: BANK-STATMENT _xlsx.exeReversingLabs: Detection: 41%
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile read: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: unknownProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbV source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.806097073.00000000061F0000.00000004.00000001.sdmp
                Source: Binary string: Z[zTs5.pdb6 source: BANK-STATMENT _xlsx.exe, 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp
                Source: Binary string: mscorlib.pdbs\Desktop\BANK-STATMENT _xlsx.exe6 source: BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbD source: BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774857470.0000000006760000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: .pdb* source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbd source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmp
                Source: Binary string: rlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbh source: BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbg source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp
                Source: Binary string: 1hoC:\Windows\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbc source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882931760.0000000000847000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbV source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmp
                Source: Binary string: tsymbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdbENT _xlsx.exe source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbk source: BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: BANK-STATMENT _xlsx.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774885507.0000000006775000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806123008.00000000061FE000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: BANK-STATMENT _xlsx.exe, vbc.exe, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbsea source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882902656.000000000081C000.00000004.00000020.sdmp
                Source: Binary string: mscorlib.pdbH source: BANK-STATMENT _xlsx.exe, 00000001.00000002.777485300.0000000007D8A000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.808147157.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862987604.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.889632651.00000000078AA000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.919074712.00000000079EA000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: BANK-STATMENT _xlsx.exe, 00000001.00000002.768432901.0000000002625000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.800371357.0000000002635000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.853807140.0000000002445000.00000004.00000040.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884255520.0000000002675000.00000004.00000040.sdmp

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
                Detected unpacking (creates a PE file in dynamic memory)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeUnpacked PE file: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack
                .NET source code contains potential unpackerShow sources
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00440BF4 push 00440C81h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00426050 push 0042607Ch; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0041A058 push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004100E4 push 00410145h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C0F4 push 0042C120h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C084 push 0042C0B0h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0040C0AE push 0040C0DCh; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0040C0B0 push 0040C0DCh; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C0BC push 0042C0E8h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00410148 push 00410349h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042614C push 00426178h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C164 push 0042C190h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00442120 push 0044214Ch; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C12C push 0042C158h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004301C4 push 0043022Eh; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C1D4 push 0042C200h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004661E4 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042C19C push 0042C1C8h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00430230 push 0043029Ah; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00464314 push 00464340h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00410458 push 00410488h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0041045C push 00410488h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00406576 push 004065C9h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00406578 push 004065C9h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042E6E8 push 0042E714h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0046A6F4 push 0046A720h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004166FC push ecx; mov dword ptr [esp], edx
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004366B4 push ecx; mov dword ptr [esp], ecx
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004606BC push 004606E8h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00406748 push 00406774h; ret
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0042E73C push 0042E768h; ret

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004548A0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0043C024 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00426384 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0043AE98 IsIconic,GetCapture,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0043B740 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00451994 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_004548A0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0043C024 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00426384 IsIconic,GetWindowPlacement,GetWindowRect,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0043AE98 IsIconic,GetCapture,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00454F94 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00455044 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0043B740 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00451994 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Contains functionality to detect sleep reduction / modificationsShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00430110
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00430110
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\VBoxMouse.sys
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\vmmouse.sys
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\VBoxGuest.sys
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeFile opened / queried: C:\Windows\system32\drivers\vmhgfs.sys
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00430110
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4864Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5780Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6916Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6840Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -1844674407370954s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99859s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99750s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99656s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99453s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99359s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99203s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99109s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -99000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98906s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98797s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98656s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98453s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98359s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98250s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98109s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -98000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97906s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97797s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97703s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97609s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97453s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97359s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97250s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97156s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 4116Thread sleep time: -97047s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 1808Thread sleep count: 273 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5768Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5380Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5392Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5532Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 864Thread sleep count: 48 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6600Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6660Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5984Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6112Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 7048Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -100000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99890s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99750s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99640s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99547s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99437s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99343s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99250s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99093s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -99000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98890s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98797s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98687s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6676Thread sleep time: -98547s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6244Thread sleep count: 90 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6848Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5628Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5468Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5564Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5732Thread sleep count: 48 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5948Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6864Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6960Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 6148Thread sleep time: -300000s >= -30000s
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5544Thread sleep count: 48 > 30
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe TID: 5840Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile opened: PhysicalDrive0
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0046A9D0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 0046A9EBh
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_0046A9D0 GetSystemTime followed by cmp: cmp word ptr [esp], 07e4h and CTI: jnc 0046A9EBh
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00408900 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00408900 FindFirstFileA,GetLastError,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 2_2_00405AC0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004206A4 GetSystemInfo,
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVV2
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798729439.00000000008DA000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.775356177.0000000006E40000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.806976267.0000000006810000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.862199701.0000000006330000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.888847938.0000000006950000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugFlags
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess queried: DebugObjectHandle
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_004405C4 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048A746 SetUnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory protected: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                .NET source code references suspicious native API functionsShow sources
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Allocates memory in foreign processesShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection loaded: unknown target: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe protection: execute and read and write
                Sample uses process hollowing techniqueShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Writes to foreign memory regionsShow sources
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe 'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2304
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2288
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2264
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2324
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeProcess created: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: BANK-STATMENT _xlsx.exe, 00000027.00000002.929173429.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,GetACP,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,GetACP,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: GetLocaleInfoA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_0046A9D0 GetSystemTime,ExitProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeCode function: 0_2_00440BF4 GetVersion,
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.665351637.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000002.00000002.781407102.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.786924724.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000010.00000002.810314867.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.822009123.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000017.00000002.864676132.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.868823721.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 0000001F.00000002.891689573.000000000019D000.00000004.00000010.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.894914378.000000000019D000.00000004.00000010.sdmpBinary or memory string: avp.exe
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.774857470.0000000006760000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.798729439.00000000008DA000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.798860254.000000000097E000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmpBinary or memory string: Defender\MsMpeng.exe
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912269653.00000000007FB000.00000004.00000020.sdmpBinary or memory string: Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Yara detected MailPassViewShow sources
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6920, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5676, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 25.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 25.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Tries to steal Instant Messenger accounts or passwordsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                Yara detected WebBrowserPassView password recovery toolShow sources
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7044, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 26.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Detected HawkEye RatShow sources
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801657269.0000000002A81000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9
                Source: BANK-STATMENT _xlsx.exe, 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884712791.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9
                Source: BANK-STATMENT _xlsx.exe, 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger|9
                Source: BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 6984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1548, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 1496, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BANK-STATMENT _xlsx.exe PID: 5540, type: MEMORY
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.BANK-STATMENT _xlsx.exe.810000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.BANK-STATMENT _xlsx.exe.2150000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Replication Through Removable Media1Windows Management Instrumentation21DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping1System Time Discovery11Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API11Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information11Input Capture221Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsShared Modules1Logon Script (Windows)Process Injection512Obfuscated Files or Information21Credentials in Registry2Account Discovery1SMB/Windows Admin SharesScreen Capture1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing41Credentials In Files1File and Directory Discovery1Distributed Component Object ModelEmail Collection1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Information Discovery39SSHInput Capture221Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsQuery Registry1VNCClipboard Data3Exfiltration Over C2 ChannelApplication Layer Protocol13Jamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncSecurity Software Discovery1101Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion6Proc FilesystemVirtualization/Sandbox Evasion6Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection512/etc/passwd and /etc/shadowProcess Discovery4Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingApplication Window Discovery11Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskMasquerade Task or ServiceGUI Input CaptureSystem Network Configuration Discovery1Exploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320625 Sample: BANK-STATMENT _xlsx.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 74 201.75.14.0.in-addr.arpa 2->74 76 whatismyipaddress.com 2->76 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Found malware configuration 2->116 118 Malicious sample detected (through community Yara rule) 2->118 120 14 other signatures 2->120 15 BANK-STATMENT _xlsx.exe 2->15         started        signatures3 process4 signatures5 154 Maps a DLL or memory area into another process 15->154 18 BANK-STATMENT _xlsx.exe 15->18         started        20 BANK-STATMENT _xlsx.exe 15 6 15->20         started        process6 dnsIp7 24 BANK-STATMENT _xlsx.exe 18->24         started        84 mail.iigcest.com 166.62.27.57, 49746, 49780, 587 AS-26496-GO-DADDY-COM-LLCUS United States 20->84 86 201.75.14.0.in-addr.arpa 20->86 88 2 other IPs or domains 20->88 124 Changes the view of files in windows explorer (hidden files and folders) 20->124 126 Writes to foreign memory regions 20->126 128 Allocates memory in foreign processes 20->128 130 3 other signatures 20->130 27 vbc.exe 1 20->27         started        29 vbc.exe 13 20->29         started        31 dw20.exe 23 6 20->31         started        signatures8 process9 signatures10 136 Maps a DLL or memory area into another process 24->136 33 BANK-STATMENT _xlsx.exe 24->33         started        35 BANK-STATMENT _xlsx.exe 6 24->35         started        138 Tries to steal Mail credentials (via file registry) 27->138 140 Tries to steal Instant Messenger accounts or passwords 27->140 142 Tries to steal Mail credentials (via file access) 27->142 process11 dnsIp12 39 BANK-STATMENT _xlsx.exe 33->39         started        78 201.75.14.0.in-addr.arpa 35->78 80 104.16.155.36, 443, 49764, 49774 CLOUDFLARENETUS United States 35->80 82 whatismyipaddress.com 35->82 122 Installs a global keyboard hook 35->122 42 dw20.exe 35->42         started        signatures13 process14 signatures15 132 Maps a DLL or memory area into another process 39->132 44 BANK-STATMENT _xlsx.exe 39->44         started        48 BANK-STATMENT _xlsx.exe 39->48         started        process16 dnsIp17 94 mail.iigcest.com 44->94 96 201.75.14.0.in-addr.arpa 44->96 98 whatismyipaddress.com 44->98 144 Writes to foreign memory regions 44->144 146 Allocates memory in foreign processes 44->146 148 Sample uses process hollowing technique 44->148 150 2 other signatures 44->150 50 vbc.exe 44->50         started        53 vbc.exe 44->53         started        55 dw20.exe 44->55         started        57 BANK-STATMENT _xlsx.exe 48->57         started        signatures18 process19 signatures20 106 Tries to steal Instant Messenger accounts or passwords 50->106 108 Tries to steal Mail credentials (via file access) 50->108 110 Tries to harvest and steal browser information (history, passwords, etc) 53->110 112 Maps a DLL or memory area into another process 57->112 59 BANK-STATMENT _xlsx.exe 57->59         started        61 BANK-STATMENT _xlsx.exe 57->61         started        process21 dnsIp22 65 BANK-STATMENT _xlsx.exe 59->65         started        100 201.75.14.0.in-addr.arpa 61->100 102 whatismyipaddress.com 61->102 152 Installs a global keyboard hook 61->152 68 dw20.exe 61->68         started        signatures23 process24 signatures25 104 Maps a DLL or memory area into another process 65->104 70 BANK-STATMENT _xlsx.exe 65->70         started        process26 dnsIp27 90 201.75.14.0.in-addr.arpa 70->90 92 whatismyipaddress.com 70->92 134 Installs a global keyboard hook 70->134 signatures28

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                BANK-STATMENT _xlsx.exe40%VirustotalBrowse
                BANK-STATMENT _xlsx.exe42%ReversingLabsWin32.Trojan.LokiBot
                BANK-STATMENT _xlsx.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                33.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                37.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                14.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                21.2.BANK-STATMENT _xlsx.exe.21e0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.BANK-STATMENT _xlsx.exe.23b0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                16.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                7.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                2.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.BANK-STATMENT _xlsx.exe.2400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.BANK-STATMENT _xlsx.exe.2290000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                28.2.BANK-STATMENT _xlsx.exe.27a0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                29.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                38.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.BANK-STATMENT _xlsx.exe.2310000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                0.2.BANK-STATMENT _xlsx.exe.2780000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.BANK-STATMENT _xlsx.exe.2250000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                28.2.BANK-STATMENT _xlsx.exe.2750000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                1.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                21.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                15.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.BANK-STATMENT _xlsx.exe.23d0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                20.2.BANK-STATMENT _xlsx.exe.26b0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                31.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                29.2.BANK-STATMENT _xlsx.exe.ad0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                20.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                1.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                14.2.BANK-STATMENT _xlsx.exe.25e0000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
                35.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                28.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                38.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                33.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                26.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
                23.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                34.2.BANK-STATMENT _xlsx.exe.22d0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                21.2.BANK-STATMENT _xlsx.exe.22c0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                39.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                21.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                15.2.BANK-STATMENT _xlsx.exe.810000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                38.2.BANK-STATMENT _xlsx.exe.2350000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                21.2.BANK-STATMENT _xlsx.exe.2150000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                29.2.BANK-STATMENT _xlsx.exe.2460000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                37.2.BANK-STATMENT _xlsx.exe.27c0000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                33.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraTR/AD.MExecute.lzracDownload File
                14.2.BANK-STATMENT _xlsx.exe.2640000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                38.2.BANK-STATMENT _xlsx.exe.2230000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                34.2.BANK-STATMENT _xlsx.exe.2360000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                1.2.BANK-STATMENT _xlsx.exe.9d0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack100%AviraTR/AD.MExecute.lzracDownload File
                38.2.BANK-STATMENT _xlsx.exe.22c0000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                15.1.BANK-STATMENT _xlsx.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.carterandcone.comsig0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.carterandcone.com#0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/://w70%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/typo0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnrb0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0s0%Avira URL Cloudsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/alny0%Avira URL Cloudsafe
                http://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://www.founder.com.cn/cnD0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.fontbureau.com)0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/70%Avira URL Cloudsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/font0%Avira URL Cloudsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.fontbureau.comcom0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/)0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/N0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/Norm0%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.founder.com.cn/cnZ0%Avira URL Cloudsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.fontbureau.comueed0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.galapagosdesign.com/0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.galapagosdesign.com/S0%Avira URL Cloudsafe
                http://www.carterandcone.comc0%Avira URL Cloudsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/N0%Avira URL Cloudsafe
                https://whatismyipaddress.comx&0%Avira URL Cloudsafe
                http://go.microsoft.0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/E0%Avira URL Cloudsafe
                http://go.microsoft.LinkId=421270%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.carterandcone.comg0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0nt0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.fontbureau.come0%Avira URL Cloudsafe
                http://www.fontbureau.comoitu0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                whatismyipaddress.com
                		104.16.154.36
                		truefalse
                  		high
                  mail.iigcest.com
                  		166.62.27.57
                  		truetrue
                    		unknown
                    201.75.14.0.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://whatismyipaddress.com/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.carterandcone.comsigBANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designersGBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.com#BANK-STATMENT _xlsx.exe, 00000001.00000003.671131128.0000000005127000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/://w7BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/typoBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnrbBANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comBANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/Y0sBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersBANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comBANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/alnyBANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersSBANK-STATMENT _xlsx.exe, 00000001.00000003.676434970.0000000005128000.00000004.00000001.sdmpfalse
                                  		high
                                  http://whatismyipaddress.comx&BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.founder.com.cn/cnDBANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com)BANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.founder.com.cn/cn/cTheBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/7BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://fontfabrik.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/fontBANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.msn.com/de-ch/?ocid=iehpHLMEMhvbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.fontbureau.comcomBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersdBANK-STATMENT _xlsx.exe, 00000001.00000003.676177368.0000000005121000.00000004.00000001.sdmpfalse
                                      		high
                                      http://whatismyipaddress.com/-BANK-STATMENT _xlsx.exe, 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleaseBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/)BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/NBANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://login.yahoo.com/config/loginBANK-STATMENT _xlsx.exe, vbc.exefalse
                                          		high
                                          http://www.fonts.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/NormBANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sandoll.co.krBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.site.com/logs.phpBANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnZBANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.nirsoft.net/BANK-STATMENT _xlsx.exe, 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.zhongyicts.com.cnBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sakkal.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comueedBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designerstBANK-STATMENT _xlsx.exe, 00000001.00000003.674765089.0000000005121000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cndBANK-STATMENT _xlsx.exe, 00000001.00000003.669404161.0000000005123000.00000004.00000001.sdmpfalse
                                                    		unknown
                                                    https://whatismyipaddress.com/BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.apache.org/licenses/LICENSE-2.0BANK-STATMENT _xlsx.exe, 00000001.00000003.670079069.0000000005123000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/BANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://whatismyipaddress.comBANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comFBANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/SBANK-STATMENT _xlsx.exe, 00000001.00000003.678233333.00000000050FF000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comcBANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.carterandcone.comTCBANK-STATMENT _xlsx.exe, 00000001.00000003.671889636.00000000050FB000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/NBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://whatismyipaddress.comx&BANK-STATMENT _xlsx.exe, 0000000F.00000002.803423064.0000000002ED4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.885555940.0000000002F14000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		low
                                                            http://go.microsoft.BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://whatismyipaddress.comBANK-STATMENT _xlsx.exe, 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.801748838.0000000002B0E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.884820790.0000000002B4E000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.915036172.0000000002C3E000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designersnoBANK-STATMENT _xlsx.exe, 00000001.00000003.682397058.0000000005121000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/EBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://contextual.media.net/vbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpfalse
                                                                  		high
                                                                  http://go.microsoft.LinkId=42127BANK-STATMENT _xlsx.exe, 0000001D.00000002.882848976.00000000007BD000.00000004.00000020.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.912205260.000000000077B000.00000004.00000020.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.jiyu-kobo.co.jp/jp/BANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.comaBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.comdBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comgBANK-STATMENT _xlsx.exe, 00000001.00000003.670678801.0000000005126000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comlBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/Y0ntBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cn/BANK-STATMENT _xlsx.exe, 00000001.00000003.669521206.0000000005105000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlNBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cnBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.669103284.0000000005122000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/frere-user.htmlBANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.comeBANK-STATMENT _xlsx.exe, 00000001.00000002.773005820.0000000005100000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.comoituBANK-STATMENT _xlsx.exe, 00000001.00000003.675782658.00000000050FF000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.carterandcone.comzBANK-STATMENT _xlsx.exe, 00000001.00000003.670800155.0000000005106000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/cabarga.htmlBANK-STATMENT _xlsx.exe, 00000001.00000003.675887823.000000000512B000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.675857787.000000000512A000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.founder.com.cn/cn7BANK-STATMENT _xlsx.exe, 00000001.00000003.668963519.000000000510A000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://static-global-s-msn-com.akvbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.fontbureau.comcomFBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.founder.com.cn/cn8BANK-STATMENT _xlsx.exe, 00000001.00000003.669162564.0000000005122000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.jiyu-kobo.co.jp/BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.672193622.00000000050FB000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000001.00000003.671578581.00000000050F4000.00000004.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://contextual.media.net/checksync.php?&vsSynvbc.exe, 0000001A.00000002.838399630.000000000076E000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers8BANK-STATMENT _xlsx.exe, 00000001.00000002.773771914.0000000005260000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000000F.00000002.804652091.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000015.00000002.858940820.00000000050E0000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 0000001D.00000002.887749942.0000000005220000.00000002.00000001.sdmp, BANK-STATMENT _xlsx.exe, 00000022.00000002.917199610.0000000005250000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/jBANK-STATMENT _xlsx.exe, 00000001.00000003.672478858.00000000050FA000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.msn.com/?ocid=iehpEM3LMEMvbc.exe, 0000001A.00000002.838373686.0000000000758000.00000004.00000020.sdmpfalse
                                                                              		high
                                                                              http://www.fontbureau.comalicBANK-STATMENT _xlsx.exe, 00000001.00000003.676664424.00000000050FF000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.tiro.comicBANK-STATMENT _xlsx.exe, 00000001.00000003.670925242.00000000050FC000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown

                                                                              Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              104.16.154.36
                                                                              		unknownUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              104.16.155.36
                                                                              		unknownUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              166.62.27.57
                                                                              		unknownUnited States
                                                                              		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                              Private

                                                                              IP
                                                                              192.168.2.1

                                                                              General Information

                                                                              Joe Sandbox Version:31.0.0 Red Diamond
                                                                              Analysis ID:320625
                                                                              Start date:19.11.2020
                                                                              Start time:16:01:48
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 14m 44s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:light
                                                                              Sample file name:BANK-STATMENT _xlsx.exe
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:40
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.phis.troj.spyw.evad.winEXE@53/29@20/4
                                                                              EGA Information:Failed
                                                                              HDC Information:
                                                                              • Successful, ratio: 80.4% (good quality ratio 78.5%)
                                                                              • Quality average: 85.2%
                                                                              • Quality standard deviation: 24%
                                                                              HCA Information:
                                                                              • Successful, ratio: 87%
                                                                              • Number of executed functions: 0
                                                                              • Number of non-executed functions: 0
                                                                              Cookbook Comments:
                                                                              • Adjust boot time
                                                                              • Enable AMSI
                                                                              • Found application associated with file extension: .exe
                                                                              Warnings:
                                                                              Show All
                                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                              • TCP Packets have been reduced to 100
                                                                              • Excluded IPs from analysis (whitelisted): 52.255.188.83, 40.88.32.150, 51.104.144.132, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 52.147.198.201
                                                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus15.cloudapp.net, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              16:02:55API Interceptor63x Sleep call for process: BANK-STATMENT _xlsx.exe modified
                                                                              16:03:31API Interceptor5x Sleep call for process: dw20.exe modified

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              104.16.154.36INQUIRY.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              pwYhlZGMa6.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              Vll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              YrHUxpftPs.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              WuGzF7ZJ7P.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              cj9weNQmT2.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              lk5M5Q97c3.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              2v7Vtqfo81.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              Enquiry_pdf.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/
                                                                              KM4ukzS8ER.exeGet hashmaliciousBrowse
                                                                              • whatismyipaddress.com/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              whatismyipaddress.comINQUIRY.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              Prueba de pago.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              879mgDuqEE.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              remittance1111.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              879mgDuqEE.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              remittance1111.jarGet hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                              • 66.171.248.178
                                                                              c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              6JLHKYvboo.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              jSMd8npgmU.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              khJdbt0clZ.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              ZMOKwXqVHO.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              5Av43Q5IXd.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              8oaZfXDstn.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              9vdouqRTh3.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                                              • 104.16.155.36
                                                                              M9RhKQ1G91.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              0CyK3Y7XBs.exeGet hashmaliciousBrowse
                                                                              • 104.16.154.36
                                                                              mail.iigcest.comINQUIRY.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              Vll6ZcOkEQ.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              x2rzwu7CQ3.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              X62RG9z7kY.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              SWIFT100892220-PDF.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              SWIFT0079111-pdf.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57
                                                                              AD1-2001328L_pdf.exeGet hashmaliciousBrowse
                                                                              • 166.62.27.57

                                                                              ASN

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              CLOUDFLARENETUShttps://my.freshbooks.com/#/link/eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzeXN0ZW1pZCI6OTQ3OTM1LCJ1c2VyaWQiOjYzNDYyNywidHlwZSI6Imludm9pY2UiLCJvYmplY3RpZCI6Mjg4MjQ0OSwiZXhwIjoxNjM3MjY5MTgxLCJsZXZlbCI6MH0.DGVcXxdiwtgxTUka4TzPi_o6GS8zH-kvvTnFJZxapLg?companyName=Amanda&invoiceNumber=00007767&ownerEmail=avigilante%40maxburst.com&type=primaryGet hashmaliciousBrowse
                                                                              • 104.16.37.47
                                                                              http://45.95.168.116Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                                                              • 104.16.125.175
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.108.8
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.107.8
                                                                              jar.jarGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                              • 104.18.215.67
                                                                              http://iclickcdn.com/tag.min.js?ndn=m2Get hashmaliciousBrowse
                                                                              • 104.26.12.118
                                                                              NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                              • 162.159.133.233
                                                                              T-online.de.jar.zipGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                              • 104.31.90.162
                                                                              Bank SWIFT Advice_pdf.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              Purchase_Order_11_19_20.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              u8u7GG8XMY.exeGet hashmaliciousBrowse
                                                                              • 66.235.200.147
                                                                              Uwmkxyajs0f2tlf.exeGet hashmaliciousBrowse
                                                                              • 172.67.153.188
                                                                              Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                              • 172.67.199.180
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232
                                                                              Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                              • 23.227.38.64
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232
                                                                              CLOUDFLARENETUShttps://my.freshbooks.com/#/link/eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzeXN0ZW1pZCI6OTQ3OTM1LCJ1c2VyaWQiOjYzNDYyNywidHlwZSI6Imludm9pY2UiLCJvYmplY3RpZCI6Mjg4MjQ0OSwiZXhwIjoxNjM3MjY5MTgxLCJsZXZlbCI6MH0.DGVcXxdiwtgxTUka4TzPi_o6GS8zH-kvvTnFJZxapLg?companyName=Amanda&invoiceNumber=00007767&ownerEmail=avigilante%40maxburst.com&type=primaryGet hashmaliciousBrowse
                                                                              • 104.16.37.47
                                                                              http://45.95.168.116Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              https://u7342898.ct.sendgrid.net/ls/click?upn=HCSIWZDf9Xl-2FB6XFKqg1zjEMCja-2BnYJ5hRYKkDjy2dSVqjHsLlv5ZMXJXnh9JLSzwabeBrvYMnX699odsYkKotv4jgW-2BTippSHf276Hpn3fz0kcusnYHGKND7vKQPAS7g42-2FTb5zb8CNq57r3z9Ilg-3D-3DWdrE_hNl5WjNXy0NQcJb9WqI7qh7uPLeU7UGDRahFCFKbQLS6qwym7zJ-2B-2BhWsSSLs8pHa1w9VDlWPsA7ahHsZZucjX2ktFkSy5vhVZT2L3Jxh6b-2FoboCHa2CJGLfF19s71-2FI3WPC7rECe-2BEO9fLwbfggsNq2V1-2FqgMhzgJQL411ZuD7Y8pECisPKLf0vf9WvB1fyVO9o6Euui31Jg3e-2FDialpg2CbkM21Us8J-2FBk13yWzh58-3DGet hashmaliciousBrowse
                                                                              • 104.16.125.175
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.108.8
                                                                              dde1df2ac5845a19823cabe182fcd870.exeGet hashmaliciousBrowse
                                                                              • 104.18.107.8
                                                                              jar.jarGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              https://www.canva.com/design/DAEN3YdYVHw/zaVHWoDx-9G9l20JXWSBtg/view?utm_content=DAEN3YdYVHw&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                              • 104.18.215.67
                                                                              http://iclickcdn.com/tag.min.js?ndn=m2Get hashmaliciousBrowse
                                                                              • 104.26.12.118
                                                                              NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                              • 162.159.133.233
                                                                              T-online.de.jar.zipGet hashmaliciousBrowse
                                                                              • 104.20.22.46
                                                                              Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                              • 104.31.90.162
                                                                              Bank SWIFT Advice_pdf.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              Purchase_Order_11_19_20.exeGet hashmaliciousBrowse
                                                                              • 104.28.4.151
                                                                              https://signup.kwikvpn.com/Get hashmaliciousBrowse
                                                                              • 104.16.19.94
                                                                              u8u7GG8XMY.exeGet hashmaliciousBrowse
                                                                              • 66.235.200.147
                                                                              Uwmkxyajs0f2tlf.exeGet hashmaliciousBrowse
                                                                              • 172.67.153.188
                                                                              Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                              • 172.67.199.180
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232
                                                                              Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                              • 23.227.38.64
                                                                              Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                              • 104.22.1.232

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              No context

                                                                              Created / dropped Files

                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_15082965\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18590
                                                                              Entropy (8bit):3.762256301757226
                                                                              Encrypted:false
                                                                              SSDEEP:192:W9XVjIi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sxS274ItG:YVj6jB7vqsSt/u7sxX4ItG
                                                                              MD5:863ACDCCAAFF0865DC43E7C36A83310D
                                                                              SHA1:9546F6433676B37EB1402E9979C89BF7573691D5
                                                                              SHA-256:0837ABBBE40F4C0CF60097D061154C5D47120608DA89EE9826FC5180253A78F3
                                                                              SHA-512:215248AB9672B796C53105752B41E056B0910D94DBDEA7B9B60DFE892ACEE5C28F7FD853856421D6906A6A17D5FCAF5A01BDADE6B6DC49F7CFC9B3A49A0D19D7
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.2.4.3.8.0.2.7.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.2.5.5.8.3.3.9.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.a.a.a.1.4.0.-.a.d.f.5.-.4.9.9.9.-.b.0.1.3.-.8.2.3.e.2.d.3.d.d.a.9.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.9.0.-.0.0.0.1.-.0.0.1.b.-.3.f.d.7.-.b.a.2.9.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_1534c334\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18586
                                                                              Entropy (8bit):3.7636886014541706
                                                                              Encrypted:false
                                                                              SSDEEP:192:miXVLIi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sWS274ItC:TVL6jB7vqsSt/u7sWX4ItC
                                                                              MD5:17613DA2429AF011D8432AF3C01E7178
                                                                              SHA1:35453EC2DD80C1F47498A0A2E75519479F1148BF
                                                                              SHA-256:B3F9F48E54441A73FD61A902B1B65B6A1C0EFB53BB7FD9AEA4BB30F6BB67A8E9
                                                                              SHA-512:6DF5B2C387295EFAFB8F7482C66BEB3A3405875587464C880EC9AE37FD2BEBC7D867E8051EF0629ABAAF7B92A24151E0247705B13076B743F22952BDC9E63134
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.6.3.8.6.4.5.2.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.6.5.0.6.7.6.3.9.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.2.f.b.8.a.c.-.8.e.f.d.-.4.9.1.f.-.a.8.4.7.-.b.5.4.4.6.9.f.5.2.6.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.2.4.-.0.0.0.1.-.0.0.1.b.-.3.b.b.9.-.e.f.4.0.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_17308cf2\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18590
                                                                              Entropy (8bit):3.7637503088136137
                                                                              Encrypted:false
                                                                              SSDEEP:192:7RyXVYIi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sxS274Itv:sVY6jB7vqsSt/u7sxX4Itv
                                                                              MD5:9F4280CAC01546D61470D797E0431BCA
                                                                              SHA1:26EE8489F4611F285074202579D7820EDA7F537D
                                                                              SHA-256:FB04737A0C746098A4684211CF906B85B0EA6042672A84D5B565E1CFB0D78FD4
                                                                              SHA-512:76E38887B92EA678D3BC91AA63EB13CA350C8854966EDC2AB69B079E7DD8447D3CD8A7E82644538C30F0FBBC2F21C28CC2AA8CD0B22E9926FE61DCBF7C2780B8
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.3.9.8.6.4.5.9.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.4.1.3.6.4.5.9.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.2.2.1.2.8.f.-.d.a.e.5.-.4.8.4.7.-.9.0.f.1.-.9.3.b.d.3.7.a.0.9.6.b.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.c.-.0.0.0.1.-.0.0.1.b.-.0.5.2.f.-.c.6.3.1.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_1aa0f8cb\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18592
                                                                              Entropy (8bit):3.763786373480976
                                                                              Encrypted:false
                                                                              SSDEEP:192:RZ0XV0Ii+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xT5/u7sWS274Iti:fUV06jB7vqsSt/u7sWX4Iti
                                                                              MD5:E47DA98DC5C443208459D81E83BDDAAB
                                                                              SHA1:52BE95EFA7CB50221CC8A83CC3AE88EE921C8157
                                                                              SHA-256:C60A32D4ADB7E38554AC91D789EEBDDA54C28A592DC1B16C4C56857AA2B8EFBF
                                                                              SHA-512:A064D319F76DA111ADA6076FA53A1784C566FBFD72149C596E865F0A554660AD762C28C5EB09A132F1002040255CD2164A51FBD3F64944CDA7DB0C60FAF4B744
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.8.7.7.5.8.3.2.2.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.8.7.8.7.2.3.8.5.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.1.2.a.2.d.3.-.c.c.c.1.-.4.4.1.2.-.a.8.1.9.-.c.7.3.b.f.c.e.3.4.5.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.c.c.-.0.0.0.1.-.0.0.1.b.-.4.8.8.7.-.5.d.4.8.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.
                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bank-statment _x_319d48559b0a1af85a57a6082102ce05f64a1d9_00000000_173bee50\Report.wer
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):18230
                                                                              Entropy (8bit):3.7611081288567427
                                                                              Encrypted:false
                                                                              SSDEEP:192:fZXVGFi+VpjV/C9yq5bMvg/LHZ+nNN2I1rzvq5xk0z5xTc/u7sxS274ItD:hVGjjB7vqsSI/u7sxX4ItD
                                                                              MD5:1D6B9C7D1BCA6E5B897721E501AE55F7
                                                                              SHA1:55125A143ECECA70B183A7A30C0312EA4C49EC03
                                                                              SHA-256:7EAFC56A884B493D22E34ED069F111AC40EBB40CD69B7AFACEEDB2A0916EAC06
                                                                              SHA-512:D731A058666AE6E4D559017A4F058183D7C630DB12D0E0A6C2BB773CF45391F246517A7942B8DFA61E1307B007573D8F906220A6B0ACD391099ACBD4C8256801
                                                                              Malicious:false
                                                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.2.7.1.7.7.6.4.5.8.5.5.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.2.7.1.7.7.8.0.5.2.2.9.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.a.f.b.7.c.6.-.e.e.c.e.-.4.3.1.b.-.b.9.2.f.-.9.d.9.c.b.f.a.4.7.b.e.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.9.4.-.0.0.0.1.-.0.0.1.b.-.4.0.5.c.-.7.9.0.8.8.5.b.e.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.3.a.0.1.9.e.a.a.4.c.5.0.7.1.3.0.a.a.f.2.7.2.c.4.c.d.5.0.e.d.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.b.5.5.f.b.a.2.4.2.4.6.0.c.c.0.a.5.b.3.8.2.9.9.a.c.a.a.a.c.f.3.f.5.4.c.5.e.8.7.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.1.8.:.0.7.:.4.5.:.1.7.!.0.!.B.A.N.K.-.S.T.A.T.M.E.N.T. ._.x.l.s.x...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.3.6.3...
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2128.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):5692
                                                                              Entropy (8bit):3.7319624624525853
                                                                              Encrypted:false
                                                                              SSDEEP:96:RtIU6o7r3GLt3iwZ66l8YZHuvUubSfOyWggwB+aM1lR1f04Oh6QGm:Rrl7r3GLNiwZ66WYZHuvUubS/+p1lR1W
                                                                              MD5:8552D2001589AA8518032CD3C584137A
                                                                              SHA1:BA2152F9BE4134A2FCE139BC9080A49223A7A717
                                                                              SHA-256:52CBB08329A85E99C93B3453D36E529D827643F1E5485D57C7C6ABB9A2CF0A65
                                                                              SHA-512:FCC3C0DC2DD96F41D1C2B51A73895D23E0683F5E22F85191870F6F33A3F81C16D276395DE87C9EFC86EE7EC9993A83E35F32580D8794CFFF02EF7C7D5E492DD4
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.4.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER21C5.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.47363119991153
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zsMJgtWI9sqWSC8BY8fm8M4JFKA7FH+q8v9Ecv4Hqd:uITfKfLSN/JFKKKucvgqd
                                                                              MD5:0498ADAFD3AB8965B176B440425C0A7A
                                                                              SHA1:432D1586917BF8560D4E8192A0E077908206327F
                                                                              SHA-256:BDF1D7678F110EFE8C14134A8D46B0D43974D4EA421F44DFFAEB9C687EAA548C
                                                                              SHA-512:07E3C1827F9157B3A4916445D5ED8A1498532F94CF85FC43D2207213BB99ED2E4BA44BECDDE7B0C2E000E27E409ED6E5C84D8509BE6976DBE68D6C5C43DFA732
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735854" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DA4.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):7706
                                                                              Entropy (8bit):3.7093624418460873
                                                                              Encrypted:false
                                                                              SSDEEP:192:Rrl7r3GLNiyK6h4aOv6YD668gmfZHuvUubS/+p1SY1f9PGm:RrlsNif6a6Ye68gmfgvvbS6SCfd
                                                                              MD5:13FBDD30D51AB2E61A1A0C2BB9CBAD22
                                                                              SHA1:272F7E82FACE89A45E212A5EDC0F5565AE11173F
                                                                              SHA-256:A925E98DEE3B85593CD16C62CF16AB0FA1BD7BF09424610A0AAC65166408F4B1
                                                                              SHA-512:67518F59765484D7EF9D280D95CD2DCEF9A74BCDE6249B441B93930063185CADCE874D8B9E01BFC829FE87667D547913CDF0C08115A0374BB8F9FB0ABC7E53C8
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.8.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E9F.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476145816240227
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zsMJgtWI9sqWSC8B78fm8M4JFKA7FRz+q8v9jcv4Hzd:uITfKfLSNCJFKUzKVcvgzd
                                                                              MD5:9D066B7E9C821DD3E2968B9327FFC583
                                                                              SHA1:E91C21354D81A329C86162F31B4484397FD48B5B
                                                                              SHA-256:0B15A5BB24EB7D299148838CE4185DB9E47322DA48250D399B4196D8F25DD9EC
                                                                              SHA-512:257C0134D7415CE5FA8AFDD8AE1564C8AFEC4DFEB694E35304F5AC38CE40AEBB4CD747EBE7E80FE7C1F13B78EC5B2B5849F2ABD673416C40EEFA9ABBD6BD2FD7
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735854" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER65F6.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):7664
                                                                              Entropy (8bit):3.7013706190950346
                                                                              Encrypted:false
                                                                              SSDEEP:192:Rrl7r3GLNijr6PT6Ygr6QgmfZHuvUubS/+p1XX1fw9m:RrlsNiP676YU6QgmfgvvbS6XlfH
                                                                              MD5:670D94A4E814A0E3DA13F43F224F812E
                                                                              SHA1:4DF1A1C5AA3C09BCB38AE5F54A01A591B6331B50
                                                                              SHA-256:1DAC09070F73B6B270783D2F400482A35E7DA0DD394BCB880064B7A1132552A2
                                                                              SHA-512:9F8B8C5771CB0BC7554DE8804172EFB796619B948E1C81BD1C45DC919E1FF8D23F43C67C8FFA8F2C37BCB310DDFB6D1F9F8ACE5287CF89C9D2EE9C6FA5A08AA2
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.0.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C2.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476517921665472
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zs5JgtWI9sqWSC8Bu8fm8M4JFKA7FW+q8v9ncv4HBd:uITfLfLSNNJFKTKtcvgBd
                                                                              MD5:D73E09E3709B8D13B9C98DCD2411FEA7
                                                                              SHA1:76A6F85365798CA0986552BCE6C4E737ECE35A6E
                                                                              SHA-256:55715E63CB2EF0E28F697DD1F5A72E8F87EBCC0FA14EF90EEC49EF6132A0BC01
                                                                              SHA-512:D4F3F73F6320AF8CDEF6F1A840F349E7263136841ABFA69F9A3AF94A96FAEB04295564FB6D0CD46B70F294DE9F032AE76F1849C9A96FC0F265D912F8C930718F
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735853" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB64.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):5692
                                                                              Entropy (8bit):3.7362665521032725
                                                                              Encrypted:false
                                                                              SSDEEP:96:RtIU6o7r3GLt3idP6ccbYZHuvUubSfOyWggwB+aM1UDI1fYBGm:Rrl7r3GLNidP6ccbYZHuvUubS/+p1UDh
                                                                              MD5:017FD89E3734E63FACECEBC9D6C71C99
                                                                              SHA1:198175B96A6310BC6F2EC8B944FA855D55D07664
                                                                              SHA-256:58BCDD3A8523766D70B9B7601D1CBE9C1BE53F02873EEC64F8C60444E82F1CDB
                                                                              SHA-512:CD7AF9624B643E9810A0856D0BFB095EBCDCBFC4D7A65AE63054B4AE54A469CB44E79266968B461FC11C7773B9D76AC49BB1FD5E1FADEE46E730D28AA60F2C6E
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.8.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC01.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476622485131769
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zszJgtWI9sqWSC8BG8fm8M4JFKA7Fo+q8v9ocv4H+d:uITfNfLSNZJFKpKCcvg+d
                                                                              MD5:55661D3A5A477629000B09FD2C3C93D3
                                                                              SHA1:A1CCD794CA275B2EE5D5838C2DE3E9D9D710AC2D
                                                                              SHA-256:0A1564FA4EBFCC9E226BAE441CDF3F28C45BFA00819361EBE641834A4EC7E0A6
                                                                              SHA-512:A60C6204867768D8DBF69B414C649696D4C028299ACB064C99A71C23CA5AEFC51E66CA3A666BD2586EBDD4E5565E2BF3C7E09921C8A623C69DD9534D9B12406C
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735855" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0FB.tmp.WERInternalMetadata.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):5692
                                                                              Entropy (8bit):3.7361337278264863
                                                                              Encrypted:false
                                                                              SSDEEP:96:RtIU6o7r3GLt3iiR6U9cEIXDkYZHuvUubSfOyWggwB+aM1uc1fEXam:Rrl7r3GLNiiR69rzkYZHuvUubS/+p1uj
                                                                              MD5:282364D123559D1559F1BE3C7CE12993
                                                                              SHA1:1900116F8645DD67581E3A3E880588384FA5C3A9
                                                                              SHA-256:A8FA38E71D604414E4ABF48AF5479B672B5613A273F9E56F06C2FB369DA8F7C7
                                                                              SHA-512:8087299D86A418356FD8E61D76688562A136D3ED384136B1F6900A865D3555FBA0036E12B9BF045A2F762ADCC71DD1E479557DBA86177DF6B58E8C95C59CD8AF
                                                                              Malicious:false
                                                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.8.0.<./.P.i.d.>.......
                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1C7.tmp.xml
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4657
                                                                              Entropy (8bit):4.476286019433985
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwSD8zszJgtWI9sqWSC8BE8fm8M4JFKA7Fk+q8v9+cv4Hdd:uITfNfLSNHJFKZKAcvgdd
                                                                              MD5:9E3FCD004985DFA030F0F51B1AB27043
                                                                              SHA1:CDB35AD87D4306A2461EAE7D41BE6F62577E9B07
                                                                              SHA-256:73BE6578D438CAEBB83EB34868719FC42AB31EA1C82BE191CAE33BD0B0CFC22E
                                                                              SHA-512:619345A0AC68CB08AC5201B8E75E6F95288B7CE6ACF06A4084F3EC3ED996CDF71828211B0E6C20263C86C6F75BB5F4FAF6B7F02E314D9EF5C788C110F89607C6
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="735855" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                              C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):2
                                                                              Entropy (8bit):1.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:Qn:Qn
                                                                              MD5:F3B25701FE362EC84616A93A45CE9998
                                                                              SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                              SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                              SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                              Malicious:false
                                                                              Preview: ..
                                                                              C:\Users\user\AppData\Roaming\pid.txt
                                                                              Process:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4
                                                                              Entropy (8bit):2.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:BR:n
                                                                              MD5:EF0D17B3BDB4EE2AA741BA28C7255C53
                                                                              SHA1:E3479C19053568CE27FCC573669D61191419B296
                                                                              SHA-256:CF5DF267131383187BDB3D2C59A8718E37AC3103AE6612E9EE5FD113A75116E9
                                                                              SHA-512:FD2595FEEB081D9BC1938F59C4F641B895DABD0AD71987F0CA5E278666714B866B4BCC4DDEB8056D1280292C09B82022B9E01C4448B63FF2A8CE9A0C17064BAA
                                                                              Malicious:false
                                                                              Preview: 2864
                                                                              C:\Users\user\AppData\Roaming\pidloc.txt
                                                                              Process:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):46
                                                                              Entropy (8bit):4.50771291359613
                                                                              Encrypted:false
                                                                              SSDEEP:3:oNt+WfWna2ivf6+J:oNwva7jJ
                                                                              MD5:17A331B7B14347C9BF55C859D564272C
                                                                              SHA1:44A7FB06E7DC2D59BDADBA10D88E936BAF85C9ED
                                                                              SHA-256:714BF368D097C449B0C4A831E70AAF6C077860B7B2FFF3BD68687879F2C73D8E
                                                                              SHA-512:A5AE156BBE52F34AA62C31BAA5B8A4A8CA893E36A843D7862B0039101781757AD242C0A6998AAF58491ACE8316C071579CEAB1623163B473F27BEB78F074869D
                                                                              Malicious:false
                                                                              Preview: C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                              Entropy (8bit):6.9327470610312085
                                                                              TrID:
                                                                              • Win32 Executable (generic) a (10002005/4) 99.24%
                                                                              • InstallShield setup (43055/19) 0.43%
                                                                              • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                              • Windows Screen Saver (13104/52) 0.13%
                                                                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                              File name:BANK-STATMENT _xlsx.exe
                                                                              File size:965120
                                                                              MD5:debe564cd4c27c02d23c828df27fe27f
                                                                              SHA1:1b55fba242460cc0a5b38299acaaacf3f54c5e87
                                                                              SHA256:edafe7e62738e180cb882d93f37d2d306627aef482d6f7a7a06c69198c61cd58
                                                                              SHA512:07091b073d5885787f830a6a02a39f1064a80767ac02aea87bbc66ccb93406fba2f7a7bdd9d02d4c04f18b54bb59b34d0fd3e97649584363008c56b126801c37
                                                                              SSDEEP:24576:6odaqxzLqAc4TDlEO9KqOidDy70cd4gKsvi:Rj1uVmhpOidDyv1Ksa
                                                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                              File Icon

                                                                              Icon Hash:be9eeecece709286

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x46add0
                                                                              Entrypoint Section:CODE
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                                                              DLL Characteristics:
                                                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:dfbd2d8adc9d5f58fb80cc271c1cf580

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              push ebp
                                                                              mov ebp, esp
                                                                              add esp, FFFFFFF0h
                                                                              mov eax, 0046AC20h
                                                                              call 00007F6BE4B3C7C9h
                                                                              mov eax, dword ptr [00486C60h]
                                                                              mov eax, dword ptr [eax]
                                                                              call 00007F6BE4B8B5D1h
                                                                              mov ecx, dword ptr [00486D50h]
                                                                              mov eax, dword ptr [00486C60h]
                                                                              mov eax, dword ptr [eax]
                                                                              mov edx, dword ptr [0046A72Ch]
                                                                              call 00007F6BE4B8B5D1h
                                                                              mov eax, dword ptr [00486C60h]
                                                                              mov eax, dword ptr [eax]
                                                                              call 00007F6BE4B8B645h
                                                                              call 00007F6BE4B3A2C0h
                                                                              lea eax, dword ptr [eax+00h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x880000x247a.idata
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x950000x5bc5c.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8d0000x7044.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x8c0000x18.rdata
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              CODE0x10000x69e180x6a000False0.524259747199data6.51526332301IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              DATA0x6b0000x1bddc0x1be00False0.171822449552data2.72180144261IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              BSS0x870000xc790x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .idata0x880000x247a0x2600False0.350637335526data4.93470816555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .tls0x8b0000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                              .rdata0x8c0000x180x200False0.048828125data0.20058190744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .reloc0x8d0000x70440x7200False0.581483004386data6.62684722592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x950000x5bc5c0x5be00False0.887537202381data7.51848710017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_CURSOR0x962500x134data
                                                                              RT_CURSOR0x963840x134data
                                                                              RT_CURSOR0x964b80x134data
                                                                              RT_CURSOR0x965ec0x134data
                                                                              RT_CURSOR0x967200x134data
                                                                              RT_CURSOR0x968540x134data
                                                                              RT_CURSOR0x969880x134data
                                                                              RT_BITMAP0x96abc0x1d0data
                                                                              RT_BITMAP0x96c8c0x1e4data
                                                                              RT_BITMAP0x96e700x1d0data
                                                                              RT_BITMAP0x970400x1d0data
                                                                              RT_BITMAP0x972100x1d0data
                                                                              RT_BITMAP0x973e00x1d0data
                                                                              RT_BITMAP0x975b00x1d0data
                                                                              RT_BITMAP0x977800x1d0data
                                                                              RT_BITMAP0x979500x53c6edataEnglishUnited States
                                                                              RT_BITMAP0xeb5c00x1d0data
                                                                              RT_BITMAP0xeb7900xd8data
                                                                              RT_BITMAP0xeb8680x128data
                                                                              RT_BITMAP0xeb9900x128data
                                                                              RT_BITMAP0xebab80x128data
                                                                              RT_BITMAP0xebbe00xe8data
                                                                              RT_BITMAP0xebcc80x128data
                                                                              RT_BITMAP0xebdf00x128data
                                                                              RT_BITMAP0xebf180xd0data
                                                                              RT_BITMAP0xebfe80x128data
                                                                              RT_BITMAP0xec1100x128data
                                                                              RT_BITMAP0xec2380x128data
                                                                              RT_BITMAP0xec3600x128data
                                                                              RT_BITMAP0xec4880x128data
                                                                              RT_BITMAP0xec5b00xe8data
                                                                              RT_BITMAP0xec6980x128data
                                                                              RT_BITMAP0xec7c00x128data
                                                                              RT_BITMAP0xec8e80xd0data
                                                                              RT_BITMAP0xec9b80x128data
                                                                              RT_BITMAP0xecae00x128data
                                                                              RT_BITMAP0xecc080x128data
                                                                              RT_BITMAP0xecd300x128data
                                                                              RT_BITMAP0xece580x128data
                                                                              RT_BITMAP0xecf800xe8data
                                                                              RT_BITMAP0xed0680x128data
                                                                              RT_BITMAP0xed1900x128data
                                                                              RT_BITMAP0xed2b80xd0data
                                                                              RT_BITMAP0xed3880x128data
                                                                              RT_BITMAP0xed4b00x128data
                                                                              RT_BITMAP0xed5d80xd8data
                                                                              RT_BITMAP0xed6b00xd8data
                                                                              RT_BITMAP0xed7880xd8data
                                                                              RT_BITMAP0xed8600xd8data
                                                                              RT_ICON0xed9380x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                              RT_STRING0xedea00xdcdata
                                                                              RT_STRING0xedf7c0x2d8data
                                                                              RT_STRING0xee2540xd8data
                                                                              RT_STRING0xee32c0x160data
                                                                              RT_STRING0xee48c0x218data
                                                                              RT_STRING0xee6a40x470data
                                                                              RT_STRING0xeeb140x380data
                                                                              RT_STRING0xeee940x394data
                                                                              RT_STRING0xef2280x418data
                                                                              RT_STRING0xef6400xf4data
                                                                              RT_STRING0xef7340xc4data
                                                                              RT_STRING0xef7f80x2e0data
                                                                              RT_STRING0xefad80x35cdata
                                                                              RT_STRING0xefe340x2b4data
                                                                              RT_RCDATA0xf00e80x10data
                                                                              RT_RCDATA0xf00f80x224data
                                                                              RT_RCDATA0xf031c0x807Delphi compiled form 'TForm1'
                                                                              RT_GROUP_CURSOR0xf0b240x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b380x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b4c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b600x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b740x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b880x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_CURSOR0xf0b9c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                              RT_GROUP_ICON0xf0bb00x14dataEnglishUnited States
                                                                              RT_HTML0xf0bc40x98dataEnglishUnited States

                                                                              Imports

                                                                              DLLImport
                                                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                              user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                              kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtectEx, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemTime, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
                                                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExtCreatePen, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                              user32.dllWindowFromPoint, WinHelpA, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DeferWindowPos, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, BeginDeferWindowPos, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                              kernel32.dllSleep
                                                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayRedim, SafeArrayCreate, VariantChangeTypeEx, VariantCopyInd, VariantCopy, VariantClear, VariantInit
                                                                              comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
                                                                              kernel32.dllMulDiv
                                                                              winmm.dllmciSendCommandA, mciGetErrorStringA
                                                                              kernel32.dllAddVectoredExceptionHandler

                                                                              Possible Origin

                                                                              Language of compilation systemCountry where language is spokenMap
                                                                              EnglishUnited States

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              11/19/20-16:03:11.245137TCP2019926ET TROJAN HawkEye Keylogger Report SMTP49746587192.168.2.4166.62.27.57

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 19, 2020 16:02:54.499708891 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.516001940 CET8049738104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.516113997 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.517074108 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.533266068 CET8049738104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.541414976 CET8049738104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.594522953 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.594763994 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.611154079 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.611242056 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.672023058 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.688457966 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.688901901 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.689006090 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.689054966 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.758867025 CET49739443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.762535095 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.775322914 CET44349739104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.778700113 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.779587030 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.779609919 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.798758984 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.799081087 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.799626112 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:02:54.799702883 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.800508022 CET49740443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:02:54.816796064 CET44349740104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:08.611728907 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:08.882777929 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:08.882930994 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:09.597856998 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:09.598325968 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:09.869668961 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:09.873588085 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.145303011 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.145670891 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.425162077 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.426595926 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.697953939 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.699817896 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:10.972868919 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:10.973298073 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.244473934 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.244570017 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.245136976 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245273113 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245419979 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245482922 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245569944 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.245651960 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:11.517080069 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.517100096 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.518004894 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.527730942 CET58749746166.62.27.57192.168.2.4
                                                                              Nov 19, 2020 16:03:11.580365896 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:38.239831924 CET4973880192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:38.239991903 CET49746587192.168.2.4166.62.27.57
                                                                              Nov 19, 2020 16:03:42.909209967 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:42.925932884 CET8049764104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:42.927194118 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:42.927691936 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:42.944050074 CET8049764104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:42.956650972 CET8049764104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.004832029 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:43.006668091 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.023049116 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.023211956 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.093427896 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.109797001 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.113091946 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.113338947 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.113598108 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.115885019 CET49765443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.117397070 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.132205963 CET44349765104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.133662939 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.134159088 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.134731054 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.151000023 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.151611090 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.152143002 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:43.154800892 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.156320095 CET49766443192.168.2.4104.16.154.36
                                                                              Nov 19, 2020 16:03:43.172498941 CET44349766104.16.154.36192.168.2.4
                                                                              Nov 19, 2020 16:03:51.623248100 CET4976480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.110135078 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.126528978 CET8049774104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.126627922 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.127439022 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.143625021 CET8049774104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.157450914 CET8049774104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.206037998 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.222534895 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.222623110 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.255884886 CET4977480192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.290390015 CET49775443192.168.2.4104.16.155.36
                                                                              Nov 19, 2020 16:03:58.306818008 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.307987928 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.308088064 CET44349775104.16.155.36192.168.2.4
                                                                              Nov 19, 2020 16:03:58.308149099 CET49775443192.168.2.4104.16.155.36

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Nov 19, 2020 16:02:37.347265005 CET4991053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:37.374398947 CET53499108.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:38.091876030 CET5585453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:38.118879080 CET53558548.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:39.153587103 CET6454953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:39.180571079 CET53645498.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:40.477577925 CET6315353192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:40.504650116 CET53631538.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:41.419821024 CET5299153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:41.446788073 CET53529918.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:42.287302017 CET5370053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:42.314332962 CET53537008.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:48.014317989 CET5172653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:48.058628082 CET53517268.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:53.947966099 CET5679453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:53.983439922 CET53567948.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:54.437556982 CET5653453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:54.475153923 CET53565348.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:54.565713882 CET5662753192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:54.592853069 CET53566278.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:02:59.422950029 CET5662153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:02:59.449935913 CET53566218.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:01.729206085 CET6311653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:01.756218910 CET53631168.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:03.427460909 CET6407853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:03.454576969 CET53640788.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:06.844546080 CET6480153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:06.871615887 CET53648018.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:08.569644928 CET6172153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:08.608561039 CET53617218.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:26.334978104 CET5125553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:26.370476961 CET53512558.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:27.336630106 CET6152253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:27.372004986 CET53615228.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:27.923398972 CET5233753192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:27.950417042 CET53523378.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:28.391411066 CET5504653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:28.429313898 CET53550468.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:28.727895975 CET4961253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:28.763827085 CET53496128.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:29.180068016 CET4928553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:29.215704918 CET53492858.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:29.484210014 CET5060153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:29.528075933 CET53506018.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:29.613588095 CET6087553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:29.649548054 CET53608758.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:30.169581890 CET5644853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:30.207268953 CET53564488.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:31.013119936 CET5917253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:31.048868895 CET53591728.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:31.545161009 CET6242053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:31.572143078 CET53624208.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:32.255084038 CET6057953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:32.282471895 CET53605798.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:32.378735065 CET5018353192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:32.415395975 CET53501838.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:32.917269945 CET6153153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:32.944896936 CET53615318.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:33.035890102 CET4922853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:33.063143969 CET53492288.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.322643995 CET5979453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:42.349766016 CET53597948.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.565202951 CET5591653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:42.601363897 CET53559168.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.855329990 CET5275253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:42.890909910 CET53527528.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:42.963808060 CET6054253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:43.004244089 CET53605428.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:45.724968910 CET6068953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:45.760621071 CET53606898.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:49.401329994 CET6420653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:49.440566063 CET53642068.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:56.284164906 CET5090453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:56.319935083 CET53509048.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:58.046384096 CET5752553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:58.082009077 CET53575258.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:58.168235064 CET5381453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:58.204073906 CET53538148.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:58.208667994 CET5341853192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:58.235800982 CET53534188.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:03:59.443418980 CET6283353192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:03:59.470434904 CET53628338.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:01.499191046 CET5926053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:01.534805059 CET53592608.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:10.725539923 CET4994453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:10.771277905 CET53499448.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:18.482359886 CET6330053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:18.509577990 CET53633008.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:21.843602896 CET6144953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:21.879123926 CET53614498.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:22.194811106 CET5127553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:22.230504036 CET53512758.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:22.299546957 CET6349253192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:22.309029102 CET5894553192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:22.335187912 CET53634928.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:22.344558001 CET53589458.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:25.163994074 CET6077953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:25.191025019 CET53607798.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:35.599082947 CET6401453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:35.634669065 CET53640148.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:35.926879883 CET5709153192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:35.962539911 CET53570918.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:36.047477961 CET5590453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:36.082937956 CET53559048.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:38.866419077 CET5210953192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:38.893517017 CET53521098.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:47.181365967 CET5445053192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:47.216671944 CET53544508.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:47.244704962 CET4937453192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:47.279954910 CET53493748.8.8.8192.168.2.4
                                                                              Nov 19, 2020 16:04:47.332782984 CET5043653192.168.2.48.8.8.8
                                                                              Nov 19, 2020 16:04:47.368083954 CET53504368.8.8.8192.168.2.4

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                              Nov 19, 2020 16:02:53.947966099 CET192.168.2.48.8.8.80x1630Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.437556982 CET192.168.2.48.8.8.80xb1cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.565713882 CET192.168.2.48.8.8.80x3b3cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:08.569644928 CET192.168.2.48.8.8.80x1187Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.565202951 CET192.168.2.48.8.8.80xa237Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.855329990 CET192.168.2.48.8.8.80x1544Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.963808060 CET192.168.2.48.8.8.80x9d9eStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:56.284164906 CET192.168.2.48.8.8.80xabe9Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.046384096 CET192.168.2.48.8.8.80xf967Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.168235064 CET192.168.2.48.8.8.80xc658Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:10.725539923 CET192.168.2.48.8.8.80x5c45Standard query (0)mail.iigcest.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:21.843602896 CET192.168.2.48.8.8.80x2ed2Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.194811106 CET192.168.2.48.8.8.80x93bdStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.309029102 CET192.168.2.48.8.8.80x693aStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.599082947 CET192.168.2.48.8.8.80x3a36Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.926879883 CET192.168.2.48.8.8.80x5b58Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:36.047477961 CET192.168.2.48.8.8.80x4193Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.181365967 CET192.168.2.48.8.8.80x9317Standard query (0)201.75.14.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.244704962 CET192.168.2.48.8.8.80xce8dStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.332782984 CET192.168.2.48.8.8.80xf3c1Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                              Nov 19, 2020 16:02:53.983439922 CET8.8.8.8192.168.2.40x1630Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.475153923 CET8.8.8.8192.168.2.40xb1cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.475153923 CET8.8.8.8192.168.2.40xb1cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.592853069 CET8.8.8.8192.168.2.40x3b3cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:02:54.592853069 CET8.8.8.8192.168.2.40x3b3cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:08.608561039 CET8.8.8.8192.168.2.40x1187No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.601363897 CET8.8.8.8192.168.2.40xa237Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.890909910 CET8.8.8.8192.168.2.40x1544No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:42.890909910 CET8.8.8.8192.168.2.40x1544No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:43.004244089 CET8.8.8.8192.168.2.40x9d9eNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:43.004244089 CET8.8.8.8192.168.2.40x9d9eNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:56.319935083 CET8.8.8.8192.168.2.40xabe9Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.082009077 CET8.8.8.8192.168.2.40xf967No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.082009077 CET8.8.8.8192.168.2.40xf967No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.204073906 CET8.8.8.8192.168.2.40xc658No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:03:58.204073906 CET8.8.8.8192.168.2.40xc658No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:10.771277905 CET8.8.8.8192.168.2.40x5c45No error (0)mail.iigcest.com166.62.27.57A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:21.879123926 CET8.8.8.8192.168.2.40x2ed2Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.230504036 CET8.8.8.8192.168.2.40x93bdNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.230504036 CET8.8.8.8192.168.2.40x93bdNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.344558001 CET8.8.8.8192.168.2.40x693aNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:22.344558001 CET8.8.8.8192.168.2.40x693aNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.634669065 CET8.8.8.8192.168.2.40x3a36Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.962539911 CET8.8.8.8192.168.2.40x5b58No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:35.962539911 CET8.8.8.8192.168.2.40x5b58No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:36.082937956 CET8.8.8.8192.168.2.40x4193No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:36.082937956 CET8.8.8.8192.168.2.40x4193No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.216671944 CET8.8.8.8192.168.2.40x9317Name error (3)201.75.14.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.279954910 CET8.8.8.8192.168.2.40xce8dNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.279954910 CET8.8.8.8192.168.2.40xce8dNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.368083954 CET8.8.8.8192.168.2.40xf3c1No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                              Nov 19, 2020 16:04:47.368083954 CET8.8.8.8192.168.2.40xf3c1No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)

                                                                              HTTP Request Dependency Graph

                                                                              • whatismyipaddress.com

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              0192.168.2.449738104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:02:54.517074108 CET1095OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:02:54.541414976 CET1096INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:02:54 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:02:54 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a0b73b000097f6a09da000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad09ecebf97f6-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              1192.168.2.449764104.16.155.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:03:42.927691936 CET2233OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:03:42.956650972 CET2234INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:03:42 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:03:42 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a1745600002bd6a58a5000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad1cd5d052bd6-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              2192.168.2.449774104.16.155.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:03:58.127439022 CET6336OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:03:58.157450914 CET6337INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:03:58 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:03:58 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a1afb50000dfcfea8ac000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad22c5b78dfcf-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              3192.168.2.449783104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:04:22.275377035 CET6390OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:04:22.298597097 CET6391INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:04:22 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:04:22 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a20e0900002b29571f3000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad2c34bba2b29-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              4192.168.2.449789104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:04:36.009860039 CET6414OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:04:36.037992001 CET6414INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:04:36 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:04:36 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a243b00000c29552921000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad3191c7fc295-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                              5192.168.2.449794104.16.154.3680C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              TimestampkBytes transferredDirectionData
                                                                              Nov 19, 2020 16:04:47.301661015 CET6429OUTGET / HTTP/1.1
                                                                              Host: whatismyipaddress.com
                                                                              Connection: Keep-Alive
                                                                              Nov 19, 2020 16:04:47.330806971 CET6430INHTTP/1.1 301 Moved Permanently
                                                                              Date: Thu, 19 Nov 2020 15:04:47 GMT
                                                                              Transfer-Encoding: chunked
                                                                              Connection: keep-alive
                                                                              Cache-Control: max-age=3600
                                                                              Expires: Thu, 19 Nov 2020 16:04:47 GMT
                                                                              Location: https://whatismyipaddress.com/
                                                                              cf-request-id: 0682a26fcf00000eaf462bc000000001
                                                                              Server: cloudflare
                                                                              CF-RAY: 5f4ad35fbef10eaf-FRA
                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              SMTP Packets

                                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                                              Nov 19, 2020 16:03:09.597856998 CET58749746166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Thu, 19 Nov 2020 08:03:09 -0700
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Nov 19, 2020 16:03:09.598325968 CET49746587192.168.2.4166.62.27.57EHLO 936905
                                                                              Nov 19, 2020 16:03:09.869668961 CET58749746166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 936905 [84.17.52.25]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-CHUNKING
                                                                              250-STARTTLS
                                                                              250-SMTPUTF8
                                                                              250 HELP
                                                                              Nov 19, 2020 16:03:09.873588085 CET49746587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                              Nov 19, 2020 16:03:10.145303011 CET58749746166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                              Nov 19, 2020 16:03:10.425162077 CET58749746166.62.27.57192.168.2.4235 Authentication succeeded
                                                                              Nov 19, 2020 16:03:10.426595926 CET49746587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                              Nov 19, 2020 16:03:10.697953939 CET58749746166.62.27.57192.168.2.4250 OK
                                                                              Nov 19, 2020 16:03:10.699817896 CET49746587192.168.2.4166.62.27.57RCPT TO:<ansaf@iigcest.com>
                                                                              Nov 19, 2020 16:03:10.972868919 CET58749746166.62.27.57192.168.2.4250 Accepted
                                                                              Nov 19, 2020 16:03:10.973298073 CET49746587192.168.2.4166.62.27.57DATA
                                                                              Nov 19, 2020 16:03:11.244570017 CET58749746166.62.27.57192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                              Nov 19, 2020 16:03:11.245651960 CET49746587192.168.2.4166.62.27.57.
                                                                              Nov 19, 2020 16:03:11.527730942 CET58749746166.62.27.57192.168.2.4250 OK id=1kflSp-007rOY-24
                                                                              Nov 19, 2020 16:04:11.305751085 CET58749780166.62.27.57192.168.2.4220-sg2plcpnl0157.prod.sin2.secureserver.net ESMTP Exim 4.93 #2 Thu, 19 Nov 2020 08:04:11 -0700
                                                                              220-We do not authorize the use of this system to transport unsolicited,
                                                                              220 and/or bulk e-mail.
                                                                              Nov 19, 2020 16:04:11.306165934 CET49780587192.168.2.4166.62.27.57EHLO 936905
                                                                              Nov 19, 2020 16:04:11.568952084 CET58749780166.62.27.57192.168.2.4250-sg2plcpnl0157.prod.sin2.secureserver.net Hello 936905 [84.17.52.25]
                                                                              250-SIZE 52428800
                                                                              250-8BITMIME
                                                                              250-PIPELINING
                                                                              250-AUTH PLAIN LOGIN
                                                                              250-CHUNKING
                                                                              250-STARTTLS
                                                                              250-SMTPUTF8
                                                                              250 HELP
                                                                              Nov 19, 2020 16:04:11.569655895 CET49780587192.168.2.4166.62.27.57AUTH login YW5zYWZAaWlnY2VzdC5jb20=
                                                                              Nov 19, 2020 16:04:11.837136030 CET58749780166.62.27.57192.168.2.4334 UGFzc3dvcmQ6
                                                                              Nov 19, 2020 16:04:12.112052917 CET58749780166.62.27.57192.168.2.4235 Authentication succeeded
                                                                              Nov 19, 2020 16:04:12.112370968 CET49780587192.168.2.4166.62.27.57MAIL FROM:<ansaf@iigcest.com>
                                                                              Nov 19, 2020 16:04:12.375014067 CET58749780166.62.27.57192.168.2.4250 OK

                                                                              Code Manipulations

                                                                              Statistics

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 1496 Parent PID: 5864

                                                                              General

                                                                              Start time:16:02:43
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.666309079.0000000002817000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.666235176.0000000002782000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 4500 Parent PID: 1496

                                                                              General

                                                                              Start time:16:02:43
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe'
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.765706717.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.765500046.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.766725359.0000000002292000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.766451642.00000000009D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.771774923.0000000003AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.767298778.00000000023B2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.770219917.0000000002AF1000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 3984 Parent PID: 1496

                                                                              General

                                                                              Start time:16:02:44
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4500 5715437
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Analysis Process: dw20.exe PID: 5996 Parent PID: 4500

                                                                              General

                                                                              Start time:16:02:55
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2264
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: vbc.exe PID: 6920 Parent PID: 4500

                                                                              General

                                                                              Start time:16:02:59
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.702728827.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Analysis Process: vbc.exe PID: 7044 Parent PID: 4500

                                                                              General

                                                                              Start time:16:02:59
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.704959597.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 1900 Parent PID: 3984

                                                                              General

                                                                              Start time:16:03:38
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.788401031.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000E.00000002.788526759.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 4240 Parent PID: 1900

                                                                              General

                                                                              Start time:16:03:39
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.803619602.0000000002F08000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.803780001.0000000003A81000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.799181132.0000000002312000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.803587831.0000000002F02000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.797891393.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.797771687.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.798965975.0000000002252000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000002.798500055.0000000000810000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000000F.00000001.785219561.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6452 Parent PID: 1900

                                                                              General

                                                                              Start time:16:03:41
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 4240 5772140
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Analysis Process: dw20.exe PID: 5456 Parent PID: 4240

                                                                              General

                                                                              Start time:16:03:44
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2304
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 3028 Parent PID: 6452

                                                                              General

                                                                              Start time:16:03:52
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000014.00000002.826494513.0000000002747000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000014.00000002.825220908.00000000026B2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 1548 Parent PID: 3028

                                                                              General

                                                                              Start time:16:03:53
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.852456722.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.853095833.00000000021E2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.853013004.0000000002150000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.852539322.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.857805866.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.855941175.0000000002A31000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000001.813031999.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000015.00000002.853286228.00000000022C2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 2240 Parent PID: 3028

                                                                              General

                                                                              Start time:16:03:54
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 1548 5785125
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Analysis Process: dw20.exe PID: 5992 Parent PID: 1548

                                                                              General

                                                                              Start time:16:03:59
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2288
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: vbc.exe PID: 5676 Parent PID: 1548

                                                                              General

                                                                              Start time:16:04:02
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000019.00000002.833212497.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Analysis Process: vbc.exe PID: 6708 Parent PID: 1548

                                                                              General

                                                                              Start time:16:04:02
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                              Imagebase:0x400000
                                                                              File size:1171592 bytes
                                                                              MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001A.00000002.838140213.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                              Reputation:high

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6984 Parent PID: 2240

                                                                              General

                                                                              Start time:16:04:17
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.870010845.00000000027A2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001C.00000002.870272329.0000000002837000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6180 Parent PID: 6984

                                                                              General

                                                                              Start time:16:04:18
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.885749429.0000000002F48000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.883606602.0000000002462000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.883042234.0000000000AD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.885702309.0000000002F42000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.886068587.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.883478400.00000000023D2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.882401105.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 0000001D.00000002.882514988.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6188 Parent PID: 6984

                                                                              General

                                                                              Start time:16:04:19
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 6180 5810484
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Analysis Process: dw20.exe PID: 5484 Parent PID: 6180

                                                                              General

                                                                              Start time:16:04:23
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2264
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 5540 Parent PID: 6188

                                                                              General

                                                                              Start time:16:04:30
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.903399921.0000000002642000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000021.00000002.903584502.00000000026D7000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 5580 Parent PID: 5540

                                                                              General

                                                                              Start time:16:04:30
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.915921004.0000000003032000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.912614884.0000000002362000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.915989570.0000000003038000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000001.893606211.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.912543574.00000000022D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.912719183.0000000002402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.911923188.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.916237371.0000000003BB1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000022.00000002.911809266.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              Reputation:low

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 5588 Parent PID: 5540

                                                                              General

                                                                              Start time:16:04:31
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 5580 5822718
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Reputation:low

                                                                              Analysis Process: dw20.exe PID: 6904 Parent PID: 5580

                                                                              General

                                                                              Start time:16:04:37
                                                                              Start date:19/11/2020
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:dw20.exe -x -s 2324
                                                                              Imagebase:0x10000000
                                                                              File size:33936 bytes
                                                                              MD5 hash:8D10DA8A3E11747E51F23C882C22BBC3
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 6176 Parent PID: 5588

                                                                              General

                                                                              Start time:16:04:43
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000025.00000002.926331050.0000000002857000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000025.00000002.926178784.00000000027C2000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 2864 Parent PID: 6176

                                                                              General

                                                                              Start time:16:04:44
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.928753119.0000000000497000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.928377317.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.932841604.0000000002F34000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.933151800.0000000003AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000001.923369049.00000000004D2000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.930718312.00000000022C2000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.930882020.0000000002352000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000026.00000002.930539943.0000000002230000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                              • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000026.00000002.932871258.0000000002F3A000.00000004.00000001.sdmp, Author: Joe Security

                                                                              Analysis Process: BANK-STATMENT _xlsx.exe PID: 4608 Parent PID: 6176

                                                                              General

                                                                              Start time:16:04:45
                                                                              Start date:19/11/2020
                                                                              Path:C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\BANK-STATMENT _xlsx.exe' 2 2864 5836578
                                                                              Imagebase:0x400000
                                                                              File size:965120 bytes
                                                                              MD5 hash:DEBE564CD4C27C02D23C828DF27FE27F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >