Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment-Inv.exe

Overview

General Information

Sample name:Payment-Inv.exe
Analysis ID:1538475
MD5:d4a26c141b32a5d61efbe2e7f69c0d00
SHA1:b66b6969264564861d5121a6a822b87de385ae91
SHA256:b25969ec654bac567f82da096178825f2e7b89e03a9e4f7ac6ae2ae98aaa6b08
Tags:exeuser-TeamDreier
Infos:

Detection

DarkCloud
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DarkCloud
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May check the online IP address of the machine
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment-Inv.exe (PID: 6656 cmdline: "C:\Users\user\Desktop\Payment-Inv.exe" MD5: D4A26C141B32A5D61EFBE2E7F69C0D00)
  • flakeboard.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe" MD5: D4A26C141B32A5D61EFBE2E7F69C0D00)
  • flakeboard.exe (PID: 5800 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe" MD5: D4A26C141B32A5D61EFBE2E7F69C0D00)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkCloud StealerStealer is written in Visual Basic.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Malware Configuration

Threatname: DarkCloud

{"Exfil Mode": "SMTP", "To Address": "purchase.accounts@ahlada.com", "From Address": "purchase.accounts@ahlada.com"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Payment-Inv.exeJoeSecurity_DarkCloudYara detected DarkCloudJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeJoeSecurity_DarkCloudYara detected DarkCloudJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
        00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
        • 0x4130:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
        00000000.00000000.2166274087.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
          00000007.00000000.2521818363.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
            00000007.00000002.3410576325.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
              Click to see the 6 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.2.flakeboard.exe.400000.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                7.0.flakeboard.exe.400000.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                  0.0.Payment-Inv.exe.400000.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                    7.2.flakeboard.exe.400000.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security
                      5.0.flakeboard.exe.400000.0.unpackJoeSecurity_DarkCloudYara detected DarkCloudJoe Security

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Payment-Inv.exe, ProcessId: 6656, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\customariness

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-10-21T11:29:12.240087+020028032742Potentially Bad Traffic192.168.2.649711162.55.60.280TCP
                        2024-10-21T11:29:47.267197+020028032742Potentially Bad Traffic192.168.2.649895162.55.60.280TCP
                        2024-10-21T11:29:47.926241+020028032742Potentially Bad Traffic192.168.2.649897162.55.60.280TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: Payment-Inv.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeAvira: detection malicious, Label: TR/VB.Downloader.Gen
                        Found malware configuration
                        Source: Payment-Inv.exeMalware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "purchase.accounts@ahlada.com", "From Address": "purchase.accounts@ahlada.com"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeReversingLabs: Detection: 73%
                        Multi AV Scanner detection for submitted file
                        Source: Payment-Inv.exeReversingLabs: Detection: 73%
                        Source: Payment-Inv.exeVirustotal: Detection: 80%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: Payment-Inv.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: Payment-Inv.exeString decryptor: Cookies
                        Source: Payment-Inv.exeString decryptor: ^(0x){1}[0-9a-fA-F]{40}$
                        Source: Payment-Inv.exeString decryptor: ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})|^((bitcoincash:)?(q|p)[a-z0-9]{41})|^((BITCOINCASH:)?(Q|P)[A-Z0-9]{41})$
                        Source: Payment-Inv.exeString decryptor: ^([r])([1-9A-HJ-NP-Za-km-z]{24,34})$
                        Source: Payment-Inv.exeString decryptor: ^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$
                        Source: Payment-Inv.exeString decryptor: ^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$
                        Source: Payment-Inv.exeString decryptor: ^G[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]{55}$
                        Source: Payment-Inv.exeString decryptor: \Default\Login Data
                        Source: Payment-Inv.exeString decryptor: \Login Data
                        Source: Payment-Inv.exeString decryptor: //setting[@name='Password']/value
                        Source: Payment-Inv.exeString decryptor: Password :
                        Source: Payment-Inv.exeString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: Payment-Inv.exeString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                        Source: Payment-Inv.exeString decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
                        Source: Payment-Inv.exeString decryptor: SMTP Email Address
                        Source: Payment-Inv.exeString decryptor: Password
                        Source: Payment-Inv.exeString decryptor: NNTP Email Address
                        Source: Payment-Inv.exeString decryptor: Email
                        Source: Payment-Inv.exeString decryptor: HTTPMail User Name
                        Source: Payment-Inv.exeString decryptor: HTTPMail Server
                        Source: Payment-Inv.exeString decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
                        Source: Payment-Inv.exeString decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
                        Source: Payment-Inv.exeString decryptor: ^3[47][0-9]{13}$
                        Source: Payment-Inv.exeString decryptor: ^(6541|6556)[0-9]{12}$
                        Source: Payment-Inv.exeString decryptor: ^389[0-9]{11}$
                        Source: Payment-Inv.exeString decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
                        Source: Payment-Inv.exeString decryptor: ^63[7-9][0-9]{13}$
                        Source: Payment-Inv.exeString decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
                        Source: Payment-Inv.exeString decryptor: ^9[0-9]{15}$
                        Source: Payment-Inv.exeString decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
                        Source: Payment-Inv.exeString decryptor: Mastercard
                        Source: Payment-Inv.exeString decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
                        Source: Payment-Inv.exeString decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
                        Source: Payment-Inv.exeString decryptor: Visa Card
                        Source: Payment-Inv.exeString decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
                        Source: Payment-Inv.exeString decryptor: ^(62[0-9]{14,17})$
                        Source: Payment-Inv.exeString decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
                        Source: Payment-Inv.exeString decryptor: Visa Master Card
                        Source: Payment-Inv.exeString decryptor: \logins.json
                        Source: Payment-Inv.exeString decryptor: \signons.sqlite
                        Source: Payment-Inv.exeString decryptor: Foxmail.exe
                        Source: Payment-Inv.exeString decryptor: mail\
                        Source: Payment-Inv.exeString decryptor: \Accounts\Account.rec0
                        Source: Payment-Inv.exeString decryptor: \AccCfg\Accounts.tdat
                        Source: Payment-Inv.exeString decryptor: EnableSignature
                        Source: Payment-Inv.exeString decryptor: Application : FoxMail
                        Source: Payment-Inv.exeString decryptor: encryptedUsername
                        Source: Payment-Inv.exeString decryptor: logins
                        Source: Payment-Inv.exeString decryptor: encryptedPassword
                        Source: Payment-Inv.exeString decryptor: purchase.accounts@ahlada.com
                        Source: Payment-Inv.exeString decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
                        Source: Payment-Inv.exeString decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
                        Source: Payment-Inv.exeString decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
                        Source: Payment-Inv.exeString decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
                        Source: Payment-Inv.exeString decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
                        Source: Payment-Inv.exeString decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
                        Source: Payment-Inv.exeString decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
                        Source: Payment-Inv.exeString decryptor: \global-messages-db.sqlite
                        Source: Payment-Inv.exeString decryptor: C:\\MailMasterData
                        Source: Payment-Inv.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: Binary string: W.pdb4 source: Payment-Inv.exe, flakeboard.exe.0.dr
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                        Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
                        Source: unknownDNS query: name: showip.net
                        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49711 -> 162.55.60.2:80
                        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49897 -> 162.55.60.2:80
                        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49895 -> 162.55.60.2:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeCode function: 5_2_0043D2F0 __vbaStrCopy,__vbaStrMove,__vbaFixstrConstruct,__vbaNew2,__vbaHresultCheckObj,__vbaHresultCheckObj,__vbaStrToAnsi,InternetOpenA,__vbaSetSystemError,__vbaFreeStrList,__vbaFreeStrList,__vbaFreeObj,__vbaStrToAnsi,InternetOpenUrlA,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,__vbaStrToAnsi,__vbaSetSystemError,__vbaStrToUnicode,__vbaLsetFixstr,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,__vbaStrToAnsi,InternetReadFile,__vbaStrToUnicode,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,#631,__vbaStrMove,__vbaLsetFixstr,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaSetSystemError,#598,__vbaSetSystemError,__vbaStrCopy,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,5_2_0043D2F0
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
                        Source: global trafficDNS traffic detected: DNS query: showip.net
                        Source: Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schema.org
                        Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net
                        Source: Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/
                        Source: flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/%=
                        Source: Payment-Inv.exe, 00000000.00000003.2201400191.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/4b
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/A
                        Source: flakeboard.exe, 00000005.00000003.2556279313.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/TZG
                        Source: Payment-Inv.exe, 00000000.00000003.2201400191.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/rc
                        Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/y
                        Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.netl?
                        Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.netll/
                        Source: flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.maxmind.com
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2557875742.0000000000815000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556031341.000000000082C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000782000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550639562.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.000000000079C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550675895.00000000007ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
                        Source: Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fundingchoicesmessages.google.com9x
                        Source: Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/
                        Source: Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/?checkip=
                        Source: flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unpkg.com/leaflet
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: Payment-Inv.exe, 00000000.00000003.2200557358.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.000000000079C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.00000000007AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
                        Source: Payment-Inv.exe, 00000000.00000003.2204670949.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2210229879.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openstreetmap.org/copyright
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeCode function: 5_2_004056C8 GetAsyncKeyState,5_2_004056C8

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                        Initial sample is a PE file and has a suspicious name
                        Source: initial sampleStatic PE information: Filename: Payment-Inv.exe
                        Sample has a suspicious name (potential lure to open the executable)
                        Source: Payment-Inv.exeStatic file information: Suspicious name
                        Writes or reads registry keys via WMI
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeCode function: 5_2_004304805_2_00430480
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeCode function: 5_2_004033E45_2_004033E4
                        Source: Payment-Inv.exeStatic PE information: Resource name: CUSTOM type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                        Source: flakeboard.exe.0.drStatic PE information: Resource name: CUSTOM type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                        Source: Payment-Inv.exe, 00000000.00000003.2311210463.0000000004F58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirebirds.exe vs Payment-Inv.exe
                        Source: Payment-Inv.exeBinary or memory string: OriginalFilenamefirebirds.exe vs Payment-Inv.exe
                        Source: Payment-Inv.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                        Source: Payment-Inv.exe, flakeboard.exe.0.drBinary or memory string: 7@pD*\AC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                        Source: flakeboard.exe, 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmp, flakeboard.exe, 00000007.00000002.3410724729.0000000000447000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: XN@*\AC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp Cm
                        Source: flakeboard.exeBinary or memory string: D*\AC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
                        Source: classification engineClassification label: mal100.troj.spyw.winEXE@3/120@1/1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeMutant created: NULL
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile created: C:\Users\user\AppData\Local\Temp\~DF34BE4CFDAFAB0A23.TMPJump to behavior
                        Source: Payment-Inv.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: flakeboard.exeBinary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
                        Source: Payment-Inv.exe, 00000000.00000003.2180223297.000000000058C000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2180507135.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2180107327.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2541083985.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2541248636.0000000000791000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2541413064.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536649530.0000000000763000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536914012.0000000000740000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2537031246.0000000000761000.00000004.00000020.00020000.00000000.sdmp, LogabacusesxBGTaeIfvTUzjaQgHAWxNnWeaZsQuFodevotionality.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: Payment-Inv.exeReversingLabs: Detection: 73%
                        Source: Payment-Inv.exeVirustotal: Detection: 80%
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile read: C:\Users\user\Desktop\Payment-Inv.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\Payment-Inv.exe "C:\Users\user\Desktop\Payment-Inv.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe"
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: msvbvm60.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: vb6zz.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: winsqlite3.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: zipfldr.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: dui70.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: duser.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: atlthunk.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: explorerframe.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: cdosys.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: inetcomm.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: msoert2.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: inetres.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: activeds.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: adsldpc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: logoncli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: msvbvm60.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: vb6zz.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: winsqlite3.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: zipfldr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: dui70.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: duser.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: atlthunk.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: explorerframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: cdosys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: inetcomm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: msoert2.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: inetres.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: activeds.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: adsldpc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: logoncli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: msvbvm60.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: vb6zz.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: winsqlite3.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: vbscript.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: zipfldr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: dui70.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: duser.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: oleacc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: atlthunk.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: explorerframe.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: cdosys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: inetcomm.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: msoert2.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: inetres.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: activeds.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: adsldpc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: netapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: logoncli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: Binary string: W.pdb4 source: Payment-Inv.exe, flakeboard.exe.0.dr
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeJump to dropped file
                        Source: C:\Users\user\Desktop\Payment-Inv.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customarinessJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customarinessJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customarinessJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customarinessJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeWindow / User API: foregroundWindowGot 1299Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWindow / User API: foregroundWindowGot 1597Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeWindow / User API: foregroundWindowGot 1773Jump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\TemplatesJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ctivebrokers.co.inVMware20,11696487552d
                        Source: flakeboard.exe, 00000005.00000003.2541479659.0000000000797000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: yctivebrokers.co.inVMware20,11696487552d
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                        Source: Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                        Source: Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW;Ha
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: in ttctivebrokers.co.inVMware20,11696487552d
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                        Source: Payment-Inv.exe, 00000000.00000003.2180716565.0000000000592000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inH,Yctivebrokers.co.inVMware20,11696487552d
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                        Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, KeyDataiUKSsPPq.txt.0.drBinary or memory string: [05:30:49]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:27]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r4]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [5:31:00]<<Program Managerun>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:15]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:48]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:26]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, KeyDatawqJiNLOm.txt.0.drBinary or memory string: [05:30:59]<<Program Manager>>
                        Source: KeyDatatWBDPZVd.txt.0.dr, KeyDataudGJeilF.txt.0.drBinary or memory string: [05:30:37]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerpc.BMP
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:57]<<Program Manager>>xtm,
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:17]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:03]<<Program Manager>>
                        Source: KeyDataFUSZjHmZ.txt.0.dr, KeyDataudGJeilF.txt.0.drBinary or memory string: [05:30:39]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageroardada.com
                        Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000782000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:45]<<Program Manager>>:43]<<P
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:10]<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:50]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:04]<<Program Manager>>
                        Source: KeyDatawkqkJSHN.txt.0.drBinary or memory string: [05:30:47]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:25]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:58]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:06]<<Program Manager>>
                        Source: KeyDatayHwISEIh.txt.0.dr, KeyDatauxmCqTJs.txt.0.drBinary or memory string: [05:30:30]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:57]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:07]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:13]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managercx.BMPa.com
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerlh.BMP
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:07]<<Program Manager>>ll
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:41]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r[05:29:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:27]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:24]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5:30:08]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:23]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [5:31:09]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:06]<<Program Manager>>xt\
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataFUSZjHmZ.txt.0.drBinary or memory string: [05:30:40]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:51]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:34]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertture");
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:05]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:08]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:09]<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:07<<Program Managerun>>
                        Source: KeyDatagPlbcKPT.txt.0.drBinary or memory string: [05:29:54]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatasWOfgWdx.txt.0.drBinary or memory string: [05:30:43]<<Program Manager>>
                        Source: KeyDataVfLQtXHS.txt.0.dr, KeyDatagPlbcKPT.txt.0.drBinary or memory string: [05:29:55]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:10]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:07]<<Program Manager>>am
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managertture
                        Source: KeyDataZwACwHFD.txt.0.dr, KeyDatagPlbcKPT.txt.0.drBinary or memory string: [05:29:53]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:12]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5:30:49]<<Program Managerun>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:22]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:08]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:11]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:23]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003ACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:17]<<Program Manager>>0
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageroard Manager
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t:02]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDataQIppfjMl.txt.0.drBinary or memory string: [05:30:42]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:59]<<Program Manager>>nager>>sc
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:34]<<Program ManagerE~1
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:57]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }[05:31:10]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:08]<<Program Manager>>xtE
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:12]<<Program Manager>> ds
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatawkqkJSHN.txt.0.dr, KeyDataakkZbIPL.txt.0.drBinary or memory string: [05:30:46]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerip32131eldbqU
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {<<Program Manager>>
                        Source: KeyDatauxmCqTJs.txt.0.drBinary or memory string: [05:30:29]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:00]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?w]<<Program Manager>>:43]<<P
                        Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~[05:29:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageroardP
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 05:31:10]<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HQ~[05:31:05]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:45]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:02]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [5:30:40]<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, KeyDataISIBMHvc.txt.0.dr, KeyDatauxmCqTJs.txt.0.drBinary or memory string: [05:30:28]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:39]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:09]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:12<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: as[05:31:11]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:12]<<Program Manager>>xtG.7
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:52]<<Program Manager>>xtaC
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataRijzbbxq.txt.0.drBinary or memory string: [05:31:01]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatasWOfgWdx.txt.0.dr, KeyDataakkZbIPL.txt.0.drBinary or memory string: [05:30:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:54]<<Program Manager>>1D)`#G
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003810000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:56]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v[05:31:11]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +u[05:29:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: z<<Program Manager>>
                        Source: KeyDataudGJeilF.txt.0.drBinary or memory string: [05:30:38]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:04]<<Program Manager>>c\"<
                        Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:12]<<Program Manager>>''ch
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:49]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:03]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:02]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:27]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:59]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:04]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:11]<<Program Manager>>@
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556377508.0000000000776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wProgram Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:03]<<Program Manager>>0z
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:26]<<Program Manager>>
                        Source: KeyDataiUKSsPPq.txt.0.dr, KeyDatawkqkJSHN.txt.0.drBinary or memory string: [05:30:48]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:11]<<Program Manager>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Iy[05:29:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDataPrAZkwrp.txt.0.dr, KeyDatamjmXVLtG.txt.0.drBinary or memory string: [05:30:51]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:07]<<Program Managerun>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:40]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:12]<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managers@ahlada.com
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageroardlada.com
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:16]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:11]<<Program Manager
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataQIppfjMl.txt.0.dr, KeyDataFUSZjHmZ.txt.0.drBinary or memory string: [05:30:41]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:41]<<Program Manager>>1
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:24]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:04]<<Program Manager>>5a
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:52]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003ACC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {[05:31:10]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:10]<<Program Manager>>xt
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:35]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, KeyDataOkriMQol.txt.0.drBinary or memory string: [05:31:05]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:28]<<Program Managerprototype.hasOwnProperty.call(y,ca)&&(a=y[ca],Array.isArray(a)&&a!=a&&(c=!0),null!=a?e[ca]=a:c=!0);if(c){for(var rb in e){y=e;break a}y=null}}y!=h&&(Ca=!0);d--}for(;0<d;d--){h=b[d-1];if(null!=h)break;var cb=!0}if(!Ca&&!cb)return b;var da;f?da=b:da=Array.prototype.slice.call(b,0,d);b=da;f&&(b.length=d);y&&b.push(y);return b};function Qa(a){return function(b){if(null==b||""==b)b=new a;else{b=JSON.parse(b);if(!Array.isArray(b))throw Error(void 0);G(b,32);b=Q(a,b)}return b}};function Ra(a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648*Math.random()).toString(36)+Math.abs(Math.floor(2147483648*Math.random())^Date.now()).toString(36)};function Va(a,b){b=String(b);"application/xhtml+xml"===a.contentType&&(b=b.toLowerCase());return a.createElement(b)}function Wa(a){this.g=a||p.document||document}Wa.prototype.appendChild=function(a,b){a.appendChild(b)};
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:11]<<Program Manager>>1
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:06]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:42]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:07]<Program Managerun>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:50]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JC:\Users\user\AppData\Local\Adobe:29:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:07]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:18]<<Program Manager>>[
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageriO.BMPa.como
                        Source: KeyDatahDXtWHIF.txt.0.dr, KeyDatawqJiNLOm.txt.0.drBinary or memory string: [05:30:58]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FC:\Users\user\AppData\Local\CEF05:29:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:22]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:14]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageriO.BMPa.com
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, KeyDatayHwISEIh.txt.0.drBinary or memory string: [05:30:31]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:25]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:57]<<Program Manager>>xtA
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, KeyDataCgXmRCfR.txt.0.drBinary or memory string: [05:30:55]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:43]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [5:31:08]<<Program Manager>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:05]<<Program Manager>>@
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerkWJUsr10#
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:54]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:08]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:09]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:33]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:54]<<Program Manager>>(
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:07]<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:21]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDataMmCIdyxm.txt.0.dr, KeyDatayHwISEIh.txt.0.drBinary or memory string: [05:30:32]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, KeyDataCgXmRCfR.txt.0.drBinary or memory string: [05:30:56]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataMmCIdyxm.txt.0.dr, KeyDataQOFChUkf.txt.0.drBinary or memory string: [05:30:34]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:20]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X^z[05:31:07]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:12]<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \v[05:31:10]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:33]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :44]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:09]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:29:45]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatamjmXVLtG.txt.0.drBinary or memory string: [05:30:52]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:49]<<Program Manager>>ows\9
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:12]<<Program Manager>>
                        Source: KeyDataQOFChUkf.txt.0.drBinary or memory string: [05:30:35]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 05:30:52]<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cv[05:31:10]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:18]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:27]<<Program Manager56&&(d=a[e-1][c],null!=d))return d;b=c+((b>>9&1)-1);if(b<e)return a[b]}}function Ka(a,b,c,d,e){var f=L(b);if(c>=f||e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)}
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:02]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r[05:31:11]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:04]<<Program Manager>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:11]<<Program Manager0
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003ACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:11]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:09<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: {:10]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:06]<<Program Manager>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerkY.BMPa.com
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:08]<<Program Manager>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:09]<<Program Manager>>xtk
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: y[05:31:11]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:46]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:09]<<Program Manager>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Vp[05:30:44]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:01]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:21]<<Program Manager>>r
                        Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :10]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:28]<<Program Manager>>I
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:00]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:00]<<Program Manager>>0[
                        Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:30:19]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:09]<<Program Manager>>1N
                        Source: KeyDatatWBDPZVd.txt.0.drBinary or memory string: [05:30:36]<<Program Manager>>
                        Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [05:31:10]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatamjmXVLtG.txt.0.dr, KeyDataTHceNsVF.txt.0.drBinary or memory string: [05:30:53]<<Program Manager>>
                        Source: KeyDataZwACwHFD.txt.0.drBinary or memory string: [05:29:47]<<Program Manager>>
                        Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Bp[05:31:11]<<Program Manager>>
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.xlsx VolumeInformationJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DarkCloud
                        Source: Yara matchFile source: Payment-Inv.exe, type: SAMPLE
                        Source: Yara matchFile source: 5.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.Payment-Inv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2166274087.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.2521818363.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.3410576325.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.2441004920.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Payment-Inv.exe PID: 6656, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: flakeboard.exe PID: 5376, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: flakeboard.exe PID: 5800, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe, type: DROPPED
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\Jump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\Jump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\Jump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\Jump to behavior
                        Source: C:\Users\user\Desktop\Payment-Inv.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Jump to behavior
                        Source: Yara matchFile source: Process Memory Space: flakeboard.exe PID: 5376, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected DarkCloud
                        Source: Yara matchFile source: Payment-Inv.exe, type: SAMPLE
                        Source: Yara matchFile source: 5.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.0.Payment-Inv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 7.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2166274087.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000000.2521818363.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000002.3410576325.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.2441004920.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Payment-Inv.exe PID: 6656, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: flakeboard.exe PID: 5376, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: flakeboard.exe PID: 5800, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        Registry Run Keys / Startup Folder                        		2
                        Process Injection                        		2
                        Process Injection                        		1
                        OS Credential Dumping                        		11
                        Security Software Discovery                        		Remote Services11
                        Input Capture                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/Job1
                        DLL Side-Loading                        		1
                        Registry Run Keys / Startup Folder                        		1
                        DLL Side-Loading                        		11
                        Input Capture                        		1
                        Process Discovery                        		Remote Desktop Protocol1
                        Archive Collected Data                        		2
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        DLL Side-Loading                        		Obfuscated Files or InformationSecurity Account Manager1
                        Application Window Discovery                        		SMB/Windows Admin Shares2
                        Data from Local System                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
                        System Network Configuration Discovery                        		Distributed Component Object ModelInput Capture2
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
                        File and Directory Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Payment-Inv.exe74%ReversingLabsWin32.Trojan.DarkCloud
                        Payment-Inv.exe81%VirustotalBrowse
                        Payment-Inv.exe100%AviraTR/VB.Downloader.Gen
                        Payment-Inv.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe100%AviraTR/VB.Downloader.Gen
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe74%ReversingLabsWin32.Trojan.DarkCloud

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        showip.net0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                        http://schema.org0%URL Reputationsafe
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        showip.net
                        		162.55.60.2
                        		truefalseunknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabPayment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://showip.netll/flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://duckduckgo.com/ac/?q=Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2557875742.0000000000815000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556031341.000000000082C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000782000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550639562.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.000000000079C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550675895.00000000007ED000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoPayment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                              		unknown
                              https://showip.net/Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://showip.net/yflakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://showip.net/%=flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://unpkg.com/leafletflakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://showip.net/Aflakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://showip.net/TZGflakeboard.exe, 00000005.00000003.2556279313.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://showip.net/?checkip=Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://www.ecosia.org/newtab/Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://showip.net/Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://showip.netflakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://ac.ecosia.org/autocomplete?q=Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://schema.orgPayment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchPayment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.openstreetmap.org/copyrightPayment-Inv.exe, 00000000.00000003.2204670949.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2210229879.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://showip.net/4bPayment-Inv.exe, 00000000.00000003.2201400191.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.maxmind.comflakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://showip.net/rcPayment-Inv.exe, 00000000.00000003.2201400191.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://fundingchoicesmessages.google.com9xPayment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://showip.netl?flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            162.55.60.2
                                                            		showip.netUnited States
                                                            		35893ACPCAfalse

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1538475
                                                            Start date and time:2024-10-21 11:28:09 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 5m 50s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:9
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Payment-Inv.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.winEXE@3/120@1/1
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 31
                                                            • Number of non-executed functions: 50
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            05:29:34API Interceptor20610x Sleep call for process: Payment-Inv.exe modified
                                                            05:30:09API Interceptor26590x Sleep call for process: flakeboard.exe modified
                                                            11:29:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce customariness C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            11:29:35AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce customariness C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            162.55.60.2QmBe2eUtqs.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/
                                                            z10RFQ-202401.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/
                                                            PROFORMA INVOICE.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/
                                                            BANK STATEMENT REPORT.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/
                                                            QOaboeP8al.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/
                                                            Request for Quotataion.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/
                                                            copia de pago.pdf.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/
                                                            PO4541 , PO4537.pdf.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                            • showip.net/
                                                            z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                            • showip.net/
                                                            MTM-PO2411.exeGet hashmaliciousDarkCloudBrowse
                                                            • showip.net/

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            showip.netQmBe2eUtqs.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2
                                                            z10RFQ-202401.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2
                                                            PROFORMA INVOICE.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2
                                                            BANK STATEMENT REPORT.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2
                                                            QOaboeP8al.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2
                                                            Request for Quotataion.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2
                                                            copia de pago.pdf.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2
                                                            PO4541 , PO4537.pdf.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                            • 162.55.60.2
                                                            z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                                            • 162.55.60.2
                                                            MTM-PO2411.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ACPCAbin.armv7l.elfGet hashmaliciousMiraiBrowse
                                                            • 162.32.169.42
                                                            la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                            • 162.66.100.20
                                                            arm4.elfGet hashmaliciousUnknownBrowse
                                                            • 162.34.81.107
                                                            r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                            • 162.0.215.33
                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                            • 162.52.209.59
                                                            Price Inquiry.exeGet hashmaliciousFormBookBrowse
                                                            • 162.0.213.94
                                                            NjjLYnPSZr.exeGet hashmaliciousFormBookBrowse
                                                            • 162.0.213.72
                                                            bSgEe4v0It.elfGet hashmaliciousUnknownBrowse
                                                            • 162.48.169.211
                                                            3qsTcL9MOT.exeGet hashmaliciousFormBookBrowse
                                                            • 162.0.213.94
                                                            QmBe2eUtqs.exeGet hashmaliciousDarkCloudBrowse
                                                            • 162.55.60.2

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Temp\9Ma02192

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                            Category:dropped
                                                            Size (bytes):13710
                                                            Entropy (8bit):7.834120626990544
                                                            Encrypted:false
                                                            SSDEEP:192:Lj4THRrixctC0bE0ASU/0GVfT9LVfT9bjL/TodKjC9gypgyYnAvPvaSYKpKy8Y3l:Ljq3C10ynb5H8dZ99p9BPS6QZN2
                                                            MD5:C0CCEB4448B667CF8EF9BAEA7F4F229C
                                                            SHA1:85005A006883B9047B827BC213BB493FCA817C2D
                                                            SHA-256:2AD126BD5F46E60E7B45A80E03F4BA512E9A74BF5DA3B57CA844CFD8A40BE175
                                                            SHA-512:74685FBA111E8768703773735630E16F5AC4AE6BA2FEB9EA88F77DF324E7C7E4F1AE5D87390A7204B53D3EC60A9797B37FD03D7EF75587C2886C0444A177A18D
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:PK..........EW..+.............Files/BNAGMGSPLO.xlsx..I.E!......%*......i7....,..+Nj.F).m...3...U\:@@..sp~$|.*.r.T.......R.2 ..dF..;..f...l..i.f.j.MC>..D.G_..j.7......t6[/........&.s;)@...9\YV.........R.1.....;.u..e...H..kD.#...S...:...v.F....#..g.+.1:..F..r.....~....[.P.h...U...%..r.(7.....G.`3}E]..+cu.s.\Z=....kW..+B..g.....T..1..+...K..X....7&..=.j..cYa...w.5........$]..u...{.%R]..V1........R..3..1h......{J=F.W.[.."..A)8>AZz>..X.S.V..~..h...v...f.L3(~......)zu:D....lC.....w..xO.mG.j..9.G..y2+V..U\..c.._.Z.4..q....LcU.."W.J..R?G.1..~..(5=.ZZxh...}.N..K..z..#....U.8.R....k..".e.p+\..a3x..rW.:.... ....k.W..|eMgQ.~..f..c'@z...h...j..K....n.....q.!.1....PK..........EWm?..............Files/CZQKSDDMWR.docx..I.E!.E..E.7(v....RoH4...#.......+..$&.&..)...k....z..I.:{.....h...6..._.-.......{.U.DS'-u.k_.3..Vnsu.0.\zY.......L.N@B...K.r..N.u.....1..J.@L.)........Q....a.....|8..7g.kQ....4.....k.>..n....k.<...EO..g.YBY.v..>u.{a..?f.... t..}U..l1.

                                                            C:\Users\user\AppData\Local\Temp\~DF34BE4CFDAFAB0A23.TMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):16384
                                                            Entropy (8bit):0.7042950971872437
                                                            Encrypted:false
                                                            SSDEEP:12:rl3lKFQCb77aU7K5BbVXCX1viv6YcrcYs9j555555555555K//l:rG7K5BbE1q1E/
                                                            MD5:3CA9AC4F8686891105EE715D5BF7AB5D
                                                            SHA1:4412DE049D11FAFF07547266AF79655E1A43252C
                                                            SHA-256:1E56D0792640658D9E216BF9AE31ABCDA603178737F697EA38ADBF9547A4FDD3
                                                            SHA-512:62DFF9E2BC75F13BED2853682EACC418335F0DB82E65FA7CEB8BFA2CD6B965B7F12CC69752B27B6AD227680FCBC85A06EF8E45C58FDC48AE94C3A58084A38BA3
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\~DF9E25A5C2171C8FFA.TMP

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):16384
                                                            Entropy (8bit):0.7042950971872437
                                                            Encrypted:false
                                                            SSDEEP:12:rl3lKFQCb77aU7K5BbVXCX1viv6YcrcYs9j555555555555K//l:rG7K5BbE1q1E/
                                                            MD5:3CA9AC4F8686891105EE715D5BF7AB5D
                                                            SHA1:4412DE049D11FAFF07547266AF79655E1A43252C
                                                            SHA-256:1E56D0792640658D9E216BF9AE31ABCDA603178737F697EA38ADBF9547A4FDD3
                                                            SHA-512:62DFF9E2BC75F13BED2853682EACC418335F0DB82E65FA7CEB8BFA2CD6B965B7F12CC69752B27B6AD227680FCBC85A06EF8E45C58FDC48AE94C3A58084A38BA3
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\~DFCA7464F4475610C9.TMP

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                            Category:dropped
                                                            Size (bytes):16384
                                                            Entropy (8bit):0.7042950971872437
                                                            Encrypted:false
                                                            SSDEEP:12:rl3lKFQCb77aU7K5BbVXCX1viv6YcrcYs9j555555555555K//l:rG7K5BbE1q1E/
                                                            MD5:3CA9AC4F8686891105EE715D5BF7AB5D
                                                            SHA1:4412DE049D11FAFF07547266AF79655E1A43252C
                                                            SHA-256:1E56D0792640658D9E216BF9AE31ABCDA603178737F697EA38ADBF9547A4FDD3
                                                            SHA-512:62DFF9E2BC75F13BED2853682EACC418335F0DB82E65FA7CEB8BFA2CD6B965B7F12CC69752B27B6AD227680FCBC85A06EF8E45C58FDC48AE94C3A58084A38BA3
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:Zip archive data (empty)
                                                            Category:dropped
                                                            Size (bytes):24
                                                            Entropy (8bit):1.4575187496394222
                                                            Encrypted:false
                                                            SSDEEP:3:pjt/lC:NtU
                                                            MD5:98A833E15D18697E8E56CDAFB0642647
                                                            SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                            SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                            SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:PK......................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF4259f6.TMP (copy)

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:Zip archive data (empty)
                                                            Category:dropped
                                                            Size (bytes):24
                                                            Entropy (8bit):1.4575187496394222
                                                            Encrypted:false
                                                            SSDEEP:3:pjt/lC:NtU
                                                            MD5:98A833E15D18697E8E56CDAFB0642647
                                                            SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                            SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                            SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                            Malicious:false
                                                            Preview:PK......................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF42dffe.TMP (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            File Type:Zip archive data (empty)
                                                            Category:dropped
                                                            Size (bytes):24
                                                            Entropy (8bit):1.4575187496394222
                                                            Encrypted:false
                                                            SSDEEP:3:pjt/lC:NtU
                                                            MD5:98A833E15D18697E8E56CDAFB0642647
                                                            SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                            SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                            SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                            Malicious:false
                                                            Preview:PK......................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip~RF42e27f.TMP (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            File Type:Zip archive data (empty)
                                                            Category:dropped
                                                            Size (bytes):24
                                                            Entropy (8bit):1.4575187496394222
                                                            Encrypted:false
                                                            SSDEEP:3:pjt/lC:NtU
                                                            MD5:98A833E15D18697E8E56CDAFB0642647
                                                            SHA1:E5F94D969899646A3D4635F28A7CD9DD69705887
                                                            SHA-256:FF006C86B5EC033FE3CAFD759BF75BE00E50C375C75157E99C0C5D39C96A2A6C
                                                            SHA-512:C6F9A09D9707B770DBC10D47C4D9B949F4EBF5F030B5EF8C511B635C32D418AD25D72EEE5D7ED02A96AEB8BF2C85491CA1AA0E4336D242793C886ED1BCDD910B
                                                            Malicious:false
                                                            Preview:PK......................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701704028955216
                                                            Encrypted:false
                                                            SSDEEP:24:t3GWl91lGAalI86LPpWzUkxooDp2Eb6PEA7lhhzhahpmvYMp+wq2MseSnIrzv:t2Wl91lGAad/xoo12e6MyF4/jMp+t2Mh
                                                            MD5:5F97B24D9F05FA0379F5E540DA8A05B0
                                                            SHA1:D4E1A893EFD370529484B46EE2F40595842C849E
                                                            SHA-256:58C103C227966EC93D19AB5D797E1F16E33DCF2DE83FA9E63E930C399E2AD396
                                                            SHA-512:A175FDFC82D79343CD764C69CD6BA6B2305424223768EAB081AD7741AA177D44A4E6927190AD156D5641AAE143D755164B07CB0BBC9AA856C4772376112B4B24
                                                            Malicious:false
                                                            Preview:BNAGMGSPLOQNKLVQWYYWYGDTNIHHPSGKYBNBNGFSZGYYFUVNSOYTAMZPOIOKMFFWDJIYCJGTWZSMXADBSJDEKDTPXDVYBIZFLSTFISYXAKAYQWPLDFAWXXNTSVHRLCINNTRJHMBFQAQBHFRSHDDRJZGIFSOFSRODXCWFIUZRXRQSOCPSXKXNEHLQYKIBJRTMMHJOIZSWESTHTXPULAPGLZHBOLMPQWYSWWOGRJQGYWDWWZMHZMTDMRWBSPIXHCFFOHTJSOAULKIFZVXPTYEBTBEXGQNBQAECQOJGHTKIAXUJLSLPBKTTRORROLNTKPDPOMSZBBLUYFRZXYZSVBGBEMGTACDCBJNXKAMZMCYEWGKSUENLKBJSZIPKQGYXMJTJXBELNVMAZHRUESZSTWROIUXLLMQPYLVQYLCOMOCGPSMJQGILSDDRUUXDRUCCVECNPLWHJLTHCPBZIKDUNRJMJIOQOCHVVNIQFFXFKFHTCVEEAXHTLJMWIUAWAMHGIGQCQJZGXBEDCRRZCNVYKCPWVJCRXIGXZYJENNARSZZREAOODIGZVBXFPAHTZNKNQHLNNETJICOVQGFLQSGSLCOYMPYDSGOPNUXAMCIJBJPJBAABYHKBKWCUAXUHNOCSSTHZYJXPLMFVJQAJDDSNEVXLRUYEQEKUKUIAOQAQJMNLHOUFLFUDMCWRNYNNLOACVSDXDNNBOGQOYGOZTWUOFZYLZQXJEGPQNQFLLILMQUJLCLUOOAOAQRCWMGKHGFJRPSFVQPCSCUDFVYSGDQIHJWSUDEAMVIANGMMFSJJTPNRYYSJYDFLUXJZGSYAAUHOEPMQIZZRSZDCXHRCIPUERSVKWEBDJCXEWWKPAHBVZESVEWPJTYRBKLHQRRPGDGQPGTNNFRMWNTGWIZDBPSGFQDFZWTVLRAOKRBHWFHBPZUBSCFBAMHEWXUIUXMKHPOCNYWNKSRYBQKSUWJLJRNBFNMTDBSZDXVFSLPDQEDCNYELVD

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.700739677288544
                                                            Encrypted:false
                                                            SSDEEP:24:ppydEKvTSBiqFHi8v+wyNV+fxloGJjN3y5j1xTEC3ugbIvso8wFjas:rmEKvMiYC8Wwyr88GFAH/UvsuZl
                                                            MD5:57582F5B6AE65D8DFCBD4A26382C6138
                                                            SHA1:DC27AD5E54D1BDCCA4EC0D54ED1FB5A3235E9842
                                                            SHA-256:7918D6E76741E42934BB32547E2D7EA395304AEA3383C0E6B7FCF82ACE125749
                                                            SHA-512:6D75F68E608CB12378605F06C74F2F0414486072CC25961A1EA421B94EA5827F92110B902C2190E04AAE2D79152B0AB9B5B1ACECDCAAADD93A6F25028DD1E060
                                                            Malicious:false
                                                            Preview:CZQKSDDMWRVXFLQDZCLIIZCHKUTASMCLXARWUFPBFEESBCKPMBKHTZOAVUSGWGQBPZXNCLVHGKNWOAOTOSOFYOKUZEGHVYFBBGTMFWOOTOTSLTKZBTPTBZMUKYOSGWCRRYGDZWOEMUMCRRCZIEIYJAYGXMDKNOLEIKRXPEZKZGIXGYJYIBDXPZGYVGHMUCSHXXAYXQQNWIVOLMGKTXTGEAEKAOKQQSCTUWFEFQMLQUREMQDBYWFEQOMAJXVXIMMKWJJFKSSTMQZNWPBIQBZROXFYPWCYBVRMKUOGMEJJHYTWCOZYZXVANCHSTYZHRBVSORLGLSOWPDGEBVMQLDWKSLQFPEZDXWPZYNPSNTKGPNKUHFMAEGDWSDLCDNYFQZWURNIMQZDJNJPPOXINSGMUVHRDBWXOXDRPWKGITAKUVBIDIBIWIIANONNQUMKNATQWTVSOUCLOFKCCAISNABSKDPLNCYIQIFQMVEHZLIAFYDDSJJTQSUEVQKACGQHHXCYTZJABESDNXLIPGYKWXJZQWYJMSZUZHKYCGKQIKCYIWZOHAVHKCRNACDVNLPEXUPOQVKBGVFKCQDKJPNALRMAYMZRBAGMTICYZEFMXXYLDXTMKSZLDKSKSRQTDUDGFZXFQEHEDXVFBYBNEOVKFLNIRSTGZDIJXNRZEZFJHNPZDGPGECJTHNVMTSURANVWOVRBTYGZGIPOXWTRIHNKWFKCTXVVKOFHISZVHNVVRXJGJEZEJDSCKNIDUQYQWFNDXBQQJAYENVZXKXVUERYEPFEGNWBAJHHQSAFTHXGXMHUHJVQEYGVKPBTQMWUEZMBBSFENGBBVZIYHLXFRDPALQUURINJMTQGTPGJRGIWXIXWOPVDTWDBDNJJVXOPMTWAGMWQFUPMRROBBTRTOQBMZKPGWTYPWAVOKTSPLMOWJJDVZIIDATCEGNLHPVRONAQJFLFUZXJVRXMCGQNRKTYBRGRMKBPVPQSPFOIOHXGEGDHOJP

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690299109915258
                                                            Encrypted:false
                                                            SSDEEP:24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
                                                            MD5:F0D9DE697149ECBC1D88C7EA4841E5BD
                                                            SHA1:06A2A47C12B3554397AA0C8F483411CAB366947D
                                                            SHA-256:5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
                                                            SHA-512:E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
                                                            Malicious:false
                                                            Preview:EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.692024230831571
                                                            Encrypted:false
                                                            SSDEEP:24:RXklo22NBtmSOCPX4hQpKZCuvImjwxwo1:v22NBtxOCYQ0EuwmMxz
                                                            MD5:086908C2D2FAA8C9284EAB6D70682A47
                                                            SHA1:1BCA47E5FFEC5FD3CE416A922BC3F905C8FE27C4
                                                            SHA-256:40C76F418FBB2A515AF4DEC81E501CEB725FD4C916D50FCA1A82B9F5ABC1DCCF
                                                            SHA-512:02C48E3CDA1DC748CD3F30B2384D515B50C1DFD63651554AD3D4562B1A47F5446098DCED47A0766D184DDB30B3F158ABEC5877C9CA28AB191CEBB0782C26B230
                                                            Malicious:false
                                                            Preview:EIVQSAOTAQGMTJLIEKHIWADNDLJLEWUUXVGOFMOKPHABQUHVNBFVSKQIGVIHICGEEXRLSTKQNZUKOHPLLTCYQSLQJMPWPWNUJFUONDXMYCCUPDUBYMPUSUKUOWWSWDLZMDWKNMUKNPKBXAJATSGOQUAMHMZDCDDJRHKOUEDMLSCIOXAHAUFDQKBUBESAKMMFMHDLSSVUQLOZXARPGPMGAAKVDEITBYGGXWIGUIJRVXQOBOIOJWPYSPHZBHWQTMDCUFCWBQSAZNRUOPCLATAERLBPATETXMFUGXBEGMNPKKEZVSRLCYPFEPWIAEINAMGSOXLYWMUKYSQACPSUTGHDCTFLXKAMLOCGYHCMAETHVZNZOCWWUHYAPHFILDNLLBMLSLXIMOFGWTDVLWPHHRGGAWSIGNXEJRIBIBLWFBUASCLZPUIVDERXYLWTNLLRLTFZJTTDGFOEYPFXIPHFKEXHOGEHSFYCCCTGNFQFYETBADKAEAOXYXJWDJWNZPEOBJZTKPLJPPMICDOWUIVDKBQQMHETDORVKZPOWTAZRBAQYYQHBNHIWFZXBILGKHZBLSQJJEIYBHUIDAOEXERQEUMMKBWDXSMLJVAZJQPZARLOBNSTUDCVKLCVBPTKTJWSMPMKSFOQPINFTNEGPVSYCWOXABSGFFKRQDFQEIJWDUMZKILALUHYQZGZOLYMKSAOZGUYCKJOJLYINHVKCTZVXLYIYPGOQZQQAGXVWEBSURTQECDRXYKQAJBEKDNSIHNBZCUBIKPKVWLUOFFCIZSKQBAAPGFMBASMUOKLLGWEHHMYDJCOQEKOBYLYWOOZLBASOJJYLIHZKUGUKHZQBIAVUPYHYEWAYGUFNARHCUKTFMLHSFLRVAELAFCQHPEFUSGNONWLLYQVUVSVEKHDRXJHDSSFJATGDRCTMICJWPFPKKLXECKUXREXEAQNPOBPRKFYRWIWXEWLAPUSHGKXWYYIJNUMGQHBJPMOYZIXPGOJLOQG

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690071120548773
                                                            Encrypted:false
                                                            SSDEEP:24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
                                                            MD5:8F49644C9029260CF4D4802C90BA5CED
                                                            SHA1:0A49DD925EF88BDEA0737A4151625525E247D315
                                                            SHA-256:C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
                                                            SHA-512:CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
                                                            Malicious:false
                                                            Preview:EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.701188456968639
                                                            Encrypted:false
                                                            SSDEEP:24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
                                                            MD5:18A3248DC9C539CCD2C8419D200F1C4D
                                                            SHA1:3B2CEE87F3426C4A08959E9861D274663420215C
                                                            SHA-256:27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
                                                            SHA-512:F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
                                                            Malicious:false
                                                            Preview:GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.694921863932654
                                                            Encrypted:false
                                                            SSDEEP:24:IrXCbQfFinplOQLb3PE8zc+qQtqXyXp0KS5bvAcIFZD/:ITCbWiplOQHXzddmyC5LkN/
                                                            MD5:62949C1D490A67816174BD0CD1F9264D
                                                            SHA1:1F3D8262179A769CDCCECE24AAAC12384E1C3F26
                                                            SHA-256:DD2EED4F65D047B47F0BA09DF3A4CB1AEF399952780B8011D07C7F800CFDCC89
                                                            SHA-512:7E067C700CD325164E580CF6BF383042143332F6E2AE57D422A676C4D50E39712FF0BBE0DBC674BDDD89EBDA26068F076AD2999811F7A171CE77F95566186807
                                                            Malicious:false
                                                            Preview:GJBHWQDROJTTUSYIVSDOQIDPSJWMHPSLMXRIDWCWZNBCVLJGHNRTOFCIHNVPKSKWUWSERWJZGSUFAZTPJLUGPATEJEGCTIGWCTURHURXMOUKRCHIYAOWIWUWNKDBSKTIERRXTRYZTHTWVMTHGREIYRUGPXREMKMFRCCSZTFAKZNXFCAAULLWINOLUONZMAZSJPPRULAPILELOBZRVQKOPKDDFTRLIXEMHWSCSVLIZZXKNOZNZBAGJVHYBFATRUBEDSKAVYVSXHRDBAGYYRLMXVOWEVHNLKTHBIXHDHJVEEJCXTFXGQFGNEBKUPMFEWJGNBUBWWZZDHNTBWHLXQIQLSMFSNFFULYGZVJZMIINYLAVKHKJGRFMMFSCWJRMHAIRUCMWOSJGSZYRTETJTKRVZMRQTPGGCWVJQLUITHFHDZLCLQXAUWYRNETHGQEJCAZCLREUWRPKKEVARVYUEZJXCTUKDPOKTSLARNKLXEMFMSZXZBHQIPSSYOLUXVXNSRNTJKWKYDLHNAIREGBXNMXDZERNNOFVAEXDKZSDWXVXBHXLRTFKTHEHBWCKYBWJUSHHUDGURWSYNPQYWRSVYOLTMJLJWOQZHYSCIRNQUMSQLHBFHUQCPBTQLIOUMLSKXHTBDOAGAJCXUAAAOUZUQUDTZGIJWPQZPMPSLSQPAAHNFLWHYEVELFQFWXTMLOONNMANEDUFMOIXFUTHDDZOTKLVWUOGVMDULSQLPUPYEQDOHLXZEDRRMVKDEDNTGKNGOGCRKIPSIOEAFSSGSBZCCHZABVGPSSHTHLEAEFBAAMHOPUUTXVEGEHVKWVHABRMXGECIUCBQPOZPFHWOHRWVJVBOPBMVJWNCYFVCZIGVJIZMGHKWRVTJPZPQHZWZJEZYNHKJHGFWHCGOTLCECZSRWYLNBSBQKVGCMNZAVMUDQNJQSMHFLQSZEDWJDUOCKBPBKSNPZNGIOCHYOTBZLXOQZZCTWWKLLGKWFYIYXMWTBXLB

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.694921863932654
                                                            Encrypted:false
                                                            SSDEEP:24:IrXCbQfFinplOQLb3PE8zc+qQtqXyXp0KS5bvAcIFZD/:ITCbWiplOQHXzddmyC5LkN/
                                                            MD5:62949C1D490A67816174BD0CD1F9264D
                                                            SHA1:1F3D8262179A769CDCCECE24AAAC12384E1C3F26
                                                            SHA-256:DD2EED4F65D047B47F0BA09DF3A4CB1AEF399952780B8011D07C7F800CFDCC89
                                                            SHA-512:7E067C700CD325164E580CF6BF383042143332F6E2AE57D422A676C4D50E39712FF0BBE0DBC674BDDD89EBDA26068F076AD2999811F7A171CE77F95566186807
                                                            Malicious:false
                                                            Preview:GJBHWQDROJTTUSYIVSDOQIDPSJWMHPSLMXRIDWCWZNBCVLJGHNRTOFCIHNVPKSKWUWSERWJZGSUFAZTPJLUGPATEJEGCTIGWCTURHURXMOUKRCHIYAOWIWUWNKDBSKTIERRXTRYZTHTWVMTHGREIYRUGPXREMKMFRCCSZTFAKZNXFCAAULLWINOLUONZMAZSJPPRULAPILELOBZRVQKOPKDDFTRLIXEMHWSCSVLIZZXKNOZNZBAGJVHYBFATRUBEDSKAVYVSXHRDBAGYYRLMXVOWEVHNLKTHBIXHDHJVEEJCXTFXGQFGNEBKUPMFEWJGNBUBWWZZDHNTBWHLXQIQLSMFSNFFULYGZVJZMIINYLAVKHKJGRFMMFSCWJRMHAIRUCMWOSJGSZYRTETJTKRVZMRQTPGGCWVJQLUITHFHDZLCLQXAUWYRNETHGQEJCAZCLREUWRPKKEVARVYUEZJXCTUKDPOKTSLARNKLXEMFMSZXZBHQIPSSYOLUXVXNSRNTJKWKYDLHNAIREGBXNMXDZERNNOFVAEXDKZSDWXVXBHXLRTFKTHEHBWCKYBWJUSHHUDGURWSYNPQYWRSVYOLTMJLJWOQZHYSCIRNQUMSQLHBFHUQCPBTQLIOUMLSKXHTBDOAGAJCXUAAAOUZUQUDTZGIJWPQZPMPSLSQPAAHNFLWHYEVELFQFWXTMLOONNMANEDUFMOIXFUTHDDZOTKLVWUOGVMDULSQLPUPYEQDOHLXZEDRRMVKDEDNTGKNGOGCRKIPSIOEAFSSGSBZCCHZABVGPSSHTHLEAEFBAAMHOPUUTXVEGEHVKWVHABRMXGECIUCBQPOZPFHWOHRWVJVBOPBMVJWNCYFVCZIGVJIZMGHKWRVTJPZPQHZWZJEZYNHKJHGFWHCGOTLCECZSRWYLNBSBQKVGCMNZAVMUDQNJQSMHFLQSZEDWJDUOCKBPBKSNPZNGIOCHYOTBZLXOQZZCTWWKLLGKWFYIYXMWTBXLB

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.699035280300431
                                                            Encrypted:false
                                                            SSDEEP:24:2K+HhhxBDOKcj1EbpPxE9RWvyJ92F37dsnnjjP2wM:PihXtFU1Qxbqy702wM
                                                            MD5:8EAF322B33BEFF7BE1894E24D83B1B7B
                                                            SHA1:D8F3C27685BD749C7291364410AA443252AE72BA
                                                            SHA-256:47E9070ED41D827FF8A2CB624635C60720418D6008B2F3C3BC504924AC84B3FD
                                                            SHA-512:C833EFABDD17F91A1C5C3AC202B867F7ADCAD29D21382170D2743EA9D6FF80B47CE2BC39B6B4B89CFDF227391DA9019CC50F4196EFF51FA1D93D753EC1CA53F6
                                                            Malicious:false
                                                            Preview:MNKQCGFJDGRVSZSZAEVMGNUDQGURKBZZMYXDYYFNDTWUPTHVLCNBDRWFTQKZVTDPSLDDQUKMTQCRRGYAZTGODISXQIJDBGDTGYTAKEHYPWRRKDEXVDZAQGJYUUDHLBNNJBNXIXZIWUVQYDJXIZIOPCMTSPONQBWKDLNGFDMQGMPCFFICQLCFHPMGOZDDLMPAWMPMLAQMRFPDCHZBNBLVFOTCQOYNUXRLSUWFRNWBQAHQPNFLSOOSQRYYWHOFGIJNWLBMLLWKISYUOYBCEBUVEMGLXOHSKAQGEEXUMJNLDRNNIFSPZLSOONQYUZMOVFJREDLKMWVWPMOSXDVVQEROXNWJCWWVNWJPIBCROTNFLJEESJALMXEWGKFQTIFCXOQAQDELLSZAEWFRWCVSSTUKKLJGXIZRBRQGNMTHYRERAETJFPQOSNESTGDONHIYXODYGCCTHWAEHVMGCWAGXJUDDAXNUJGGMHMTQUPIZZMEVBSBMLHVLOWQKGPNNEHDOAIMSBHMQUMPOPHQLGPSGYXVTSPBWHKIJDJINZYBRDNLCVDIRNLYIKNOSRZZHNIPQZKOGNBRKEXJXZNIVMQDVJFVLBBHNCYBKJWSBWRPWGZKGWCACERDKALOBDRVCUTFUXUDJCPPTQTLEVKNGFNIECSBXPDIROXHTWZPCTSGJBOVYASSILULGHHUXPKZQKKRRKCLYDPPYKYEIKOWYMZYHFHKVBDFCEHICEGPIKDLJAGWHOUEFBDGVNRAKXNWYBWNUUVSYEJAIJEOTJVSAUVLPPCBDRGEJWLASIUFHVGDVYQGWLVJUCCOYACMFKPIDUIVVLKOWNZKPTSMXVMXAVPEUFALSFSGYGOIKHZSCSIVDFKDNMUWSSEQUPPUEUNYENAORTCCYGITKYLPXZUIUCIGCTVWPWVGEZFSTPGJSKENLTAGXWSLTGBKVJEFUITFSXZRPEADLBQCIOKGWDMUPHVQKRKHLCGDSWPBMLXRPABRWJEL

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6998645060098685
                                                            Encrypted:false
                                                            SSDEEP:24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
                                                            MD5:1676F91570425F6566A5746BC8E8427E
                                                            SHA1:0F922133E2BEF0B48C623BEFA0C77361F6FA3900
                                                            SHA-256:534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
                                                            SHA-512:07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
                                                            Malicious:false
                                                            Preview:NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.696724055101702
                                                            Encrypted:false
                                                            SSDEEP:24:amL3nXTtZkQxqip7hViX2Zka12//5V9PP+Iw5ZrfqoV2P8S7FpwmKxlTn:xXL4ivV62qaI/xVhVWZ+X8SxKDT
                                                            MD5:1FFF6A639C738561CDC01BD436BA77C1
                                                            SHA1:BAFB1D68D43B177330F701BA01CA1AD19CB4FBB8
                                                            SHA-256:C2279E62766B7EFD46442641AECB3D9A0A25CE999296AC5BA9DA7BF18B2BDA92
                                                            SHA-512:65EFD5B1E235EF6AD917EAF95E16E3287CA9720F3F0EE989667A1DBB651693580415182F64FFA7538986E2BE7F19AC030836DF62489BB49C42383F5FCD3FA5D2
                                                            Malicious:false
                                                            Preview:NWCXBPIUYIVIMEKOECOAETPCBVGOLLFSFYSIEWGCQXXYDTHBXCBBHRPJYJIIAKLIVVLYHTWFXTIMRQKNXJVKYWJRGDPRAMVTWAMYMVUPBCODOHNWGVUTTMDRCGQSWUENMIVFDVUFWRBWWAXFGLJCWHJESVSORVMBBPZHMGNOLAZEBTVVZJSGFZDCEBOKEELVIKVUJUJMYXSQXAWBVPYELDJUPEKNZGLXBNUDAABLCYAZVPQYBYHWASQZIKCOZDJXTSUXLKTDHJGSYIZZEGRZZNKKDUJMXSRWEDSBIZWRCWGJILNJNQKYISXAGNMQIWLOTRVEMVUEFFBMOVSUOJIHGLPPIKHURRWPPLYGZVGPLTDDNFHWCGDYBJWXDCKVHBTKZNVCGFMGAYMEPNBBZNTBERBXWUZQOWOXLEBSIXOWEZFEHNZYOEPBPYERLPMITANPJUDWNRNURGGOVPAFPUMUFAJJGHCGGSHCPAKCRSPZJJODRADCRCMYZDUAIWBDBDCPBUYVIRSRMZFDRIJQLLRUECYTILJEKDTTKMJATFJZGEOYRXTQSNGOENKASOPKMGWIWBAOMVIDHMXGNZFQLDKEJHBNZOCNFNIXNHOKWJNDTYAWGDGLYPWBQMSVSXTAECOYAEULSBSJPKKFQWDJACOZKJGANAIJBUMCLKLMRCAXPGXPFJMMBITWGGANYVNUIAJQWHHSWFPPASKHZAUXVZCDBKOWYHZAGAZKRYAWMXNYMSOVNKLUSFMEKYZMJTXYMLLTDLXXHKEEHBYXXFBEBTALQHMYPVOGJLATHUICOJIIQJINSCWPMNRVRLYYRHLAJBLVHEDYTFSDAVKINLNNEEURYKXHNXJMZIQWVOJNOTKRUWHSVTMXWRNJWLJJHPIPSFMIAIWBMNDXXCXXZCPDOKGRINVUVYHCJLFDJIZCOEFTHTRHTIWRPLTKLXPUDEBCIHBMDJOHZRRRYIUNRRIECVWDGMFRWLRMKDBNVTLGPDQC

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.685942106278079
                                                            Encrypted:false
                                                            SSDEEP:24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
                                                            MD5:3F6896A097F6B0AE6A2BF3826C813DFC
                                                            SHA1:951214AB37DEA766005DD981B0B3D61F936B035B
                                                            SHA-256:E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
                                                            SHA-512:C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
                                                            Malicious:false
                                                            Preview:PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6969712158039245
                                                            Encrypted:false
                                                            SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                            MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                            SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                            SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                            SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                            Malicious:false
                                                            Preview:PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6969712158039245
                                                            Encrypted:false
                                                            SSDEEP:24:zDLHcjI8IQ6sNUYzo1jfRRMF6zzC3ZzNTWx7M00:zDL4ImUYzebRR66C3Z0JMR
                                                            MD5:31CD00400A977C512B9F1AF51F2A5F90
                                                            SHA1:3A6B9ED88BD73091D5685A51CB4C8870315C4A81
                                                            SHA-256:E01ADE9C56AF2361A5ADC05ADE2F5727DF1B80311A0FDC6F15B2E0FFFACC9067
                                                            SHA-512:0521ED245FA8F46DE9502CD53F5A50B01B4E83983CC6D9DE0CF02E54D2825C1C26A748CC27E24633DA1171CE0309323235ECF7EB536D4058214D7618794CF2FA
                                                            Malicious:false
                                                            Preview:PWCCAWLGRESZQJYMKOMIHTZVFVPFCSAZVTKGMPWIGSDMTLFZQLHJERDPYZCJGFCRLISWNBAMIMDXCWDVGVLWLRBEVYOOPHYWACKPZXSURGSIFWTFUJKLSAQNAJEWDLUIKFHXLUAMUDGRAVFMICAHEZBIIEGWGAVVJHMHSIBGNLEHYVSOKQMYABDYCPEBOGBMYUCIGVRGYYQRAYNYHAIBMHOTRIZLLYBECMXTCFUOVXXHSEMIUWSBDHOZIZZUXFTLKXXNEMXBKLCQDPKVZNOMDYUYJRWCVILZVJDNNBMPTNOFSKRQTILJRXTKDNUIYSQCAOPCQKTXYXPPGZDZOQYLGYFPFIWNBSQZXYABPTNBJQNBZEETJSFXZNHXBRWUHOMCZAGZQJLNPMZFALBBPHBIXZHLBTBJLTUHPUYVUDWDFJANSIIDJVMUYLPZPYGAJWMTOHGILQWHKJDQUWMTSWIBVVZGAHCNWIFZNGNERRKMSIVXWXEXRZZEWYASCIYJYCOOBWRTNZELPWKFVZKZIBGQBLGCTSTNAJSWPHYJCQSYZVFRYFSRAVVXJIOHQCNVEOIMWPEAVCJLBHRUKDHJWPFMXAKTZVQCOUKYCBZFWBREKKHOHZVNMMJZGWIZEYRAIKTHMJRCWVWKNMJNSZHSDRUZSQOJKCTOSNGKOKEAWUIQNIYHWKIIDHKQIJWCSGRRLEVUTENXSNNVDVYDJTIWYNCAZIEBXMIROLIBTLMGEUOCECFFWLENTJSVHFKQHKAPBXQAJJSUOUSFCBQTHCFYZGSVVAUPLQELRWLXRCZSUSFUBCORCWMJPUNHTEEYODSFGJFTDZLLXMQYMIHIZXOYGABIAWYSBWLAJSCKBWGJBVMMJKBKLUHULJIUHQXIXESAUTNVVZNKMIVIOHPPQAWTQSEHTQMIWNPRZRETXZHRGWOTGIEHCCSGIUCKCIFCQPTAJOFCIMYSMCOPGASEEYCNQLXCNRAPQUSQXTWPKPYCQXPE

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.702247102869977
                                                            Encrypted:false
                                                            SSDEEP:24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
                                                            MD5:B734D7226D90E4FD8228EE89C7DD26DA
                                                            SHA1:EDA7F371036A56A0DE687FF97B01F355C5060846
                                                            SHA-256:ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
                                                            SHA-512:D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
                                                            Malicious:false
                                                            Preview:QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.690474000177721
                                                            Encrypted:false
                                                            SSDEEP:24:2OgtZqoLtXCKESzKP+tziBUswJwLVk9zxY/tks7VMejXhggCon:cLtXZEmKPopswJEqxUkp82an
                                                            MD5:A01E6B89B2F69F2DA25CB28751A6261C
                                                            SHA1:48C11C0BECEB053F3DB16EC43135B20360E77E9B
                                                            SHA-256:0D0EB85E2964B5DDA19C78D11B536C72544AE51B09DBEC26E70C69ADDC7E9AA5
                                                            SHA-512:1E335E567B7F959E7524E532E257FBC0A21818BDCE0B909F83CBBCE8013FA61A8D665D7DED0982F87B29A5A786A0EE7129792A1B2D48DD205180569D9E919059
                                                            Malicious:false
                                                            Preview:QFAPOWPAFGZUMXROWPODMNAMXJGGULHBVFMBDFCUTBDPEHPYKVYAURAEPYZMHPBECXOGPOKPNMKAIBYHBFNFVWPHHZFRFVAYYHSJZJTHAYESIKJCXVOVANTTAMQKCXEHJRYFSWGEELTALODIPFLWFILANHAGQENMCPNFLPAJIPRNZRAIETALHZECBIKVUBLJMHNYJXPSAMZZCVZQOHLATXYVRZQROYHFKLVOJLGRAGXLMXJHKHSSCTHDFNSLOUEZPTFGVVVGCDIXIBWQFIIFACZAYUUQZJRKZXJQPLVPFTJAMSPRDIBBPPFLUCOUPPQDSFKQXMEIFUXXAGKAWLWJPNBHZSGIAFFXPBLRMFNGMVBEWTTPFJEHMXLOZWQHEHGWBXCAMZISSZMPHUOREQDUTUEPDVLBWTFCJIFAGQOEHFIMLTDTDLYPEQZDZBBZYMKXTUKVCEROFCABVNAQXVLLCCNLEOGKLFPVSGMNNQZHFNCWNPGBCLLMTYKZMJSUDIPHSUQJQTOTICLSMQNHYJAQTVXMEZAEGNBGADHUJNJLQZSSGWRLYBWJEOTERXWRTICIVUFNKHRUSWRGABWPZDFTGSDASOKXSFUGVBUISDQNJUAOCSOANZFXTFQGDKEKGZJRMJMGTAJCTJEOCZCUZMUYKAKZZQYDRJXWZWMOXQQLWJMWAENIFMHJXMELOZTVHRLQZNWCBXKEBNUBDDOFYHNWIPPRWGDZCQLMHAOLYZIDJJXAASOVDNHNMDDCIWFPIOLQHWQCPUVUZUDVOKBMFLALCZEQWJAKTVUUDROHEKJKHQBLQZNVWSNNZFKMZLQPFYUYHNCDTCBVUUNKNZIORBFTFVKLHZTQAPWVKTTZFCTHJBBWQMZTFKADJIZZANUOLLRBSVTUCNIJWDQPYHEPWEUTFVNOACOFURIPTLDGJUOYFJRHAUIQREUKUSADZYOEDEDZRKKPKLFLFQIMMIKLOCTSOFOEZYVAGMCITCUWAOUT

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6980379859154695
                                                            Encrypted:false
                                                            SSDEEP:24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
                                                            MD5:4E3F4BE1B97FA984F75F11D95B1C2602
                                                            SHA1:C34EB2BF97AB4B0032A4BB92B9579B00514DC211
                                                            SHA-256:59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
                                                            SHA-512:DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
                                                            Malicious:false
                                                            Preview:QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.xlsx

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.6980379859154695
                                                            Encrypted:false
                                                            SSDEEP:24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
                                                            MD5:4E3F4BE1B97FA984F75F11D95B1C2602
                                                            SHA1:C34EB2BF97AB4B0032A4BB92B9579B00514DC211
                                                            SHA-256:59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
                                                            SHA-512:DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
                                                            Malicious:false
                                                            Preview:QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataBBRsfOhu.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.3128275092660635
                                                            Encrypted:false
                                                            SSDEEP:6:t0S+f2q+f2q+f2q+f2q+f2q+f2q+f2qL2qL2qL2qLx:t0SwxwxwxwxwxwxwxLxLxLxLx
                                                            MD5:264E3744335F906B0035A04213F29404
                                                            SHA1:11A505066DB6C0590FA04284AD7DC60767BEB36F
                                                            SHA-256:BA06A4296C699D960FEA4A3D57A14DEBFEF773165136DC97E61F32CDDDD81CBA
                                                            SHA-512:23C7DFC8B4A9C65C3C887FEB9B734492548AC007107BC193BB065ED668E3887D14F75261DEC85DF729AABF60E3D7CE45CD1532297224451321372A842A2CEBCD
                                                            Malicious:false
                                                            Preview:..[05:30:15]<<Program Manager>>....[05:30:15]<<Program Manager>>....[05:30:15]<<Program Manager>>....[05:30:15]<<Program Manager>>....[05:30:15]<<Program Manager>>....[05:30:15]<<Program Manager>>....[05:30:15]<<Program Manager>>....[05:30:16]<<Program Manager>>....[05:30:16]<<Program Manager>>....[05:30:16]<<Program Manager>>....[05:30:16]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataCgXmRCfR.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.249851857621194
                                                            Encrypted:false
                                                            SSDEEP:12:t0SYpxYpxYpxYpxYpxYpxYpxfxfxfxfxQfx:tN22222225555o
                                                            MD5:46E195B1CA6C9A3D35E750B510BC04E3
                                                            SHA1:EB68FA9B6377ABFB3F204E415B67BB32A074C3A7
                                                            SHA-256:0517E1529470C16AC29EF934FEE30F85ADBA3EE2DF68B216880E106AC224A8E8
                                                            SHA-512:2B333DE7402C466AD105E05DE7107C039E667AE0F7D4A635ABFF46E96497CE23A8CFD3E104B7BB4D782514E8283BCA9B6F5431E4DF486DE63267ED7C05FEF2BB
                                                            Malicious:false
                                                            Preview:..[05:30:55]<<Program Manager>>....[05:30:55]<<Program Manager>>....[05:30:55]<<Program Manager>>....[05:30:55]<<Program Manager>>....[05:30:55]<<Program Manager>>....[05:30:55]<<Program Manager>>....[05:30:55]<<Program Manager>>....[05:30:56]<<Program Manager>>....[05:30:56]<<Program Manager>>....[05:30:56]<<Program Manager>>....[05:30:56]<<Program Manager>>....[05:30:57]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataDlrbxGcx.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.278255577780892
                                                            Encrypted:false
                                                            SSDEEP:6:t0SMN2qMN2qMN2qMN2qMN2qMN2qMN2qndp2qndp2qndp2qndpx:t0SMNxMNxMNxMNxMNxMNxMNxndpxndp1
                                                            MD5:12C8C8A4BD9AB269A1268F8AFEFB18F0
                                                            SHA1:3BC1B4014DB05D050063942EA17FC3A43288A170
                                                            SHA-256:C9E4943D097F4A5D354AFD840AEBBC005D45F066EDD0DF2154682902D0BE1083
                                                            SHA-512:1968B9474935D0D9772798B6B433E21B5A68B88CA9EAAAD45DD1DB19825A6121BF74F03CA5B327D18EB2C8DDED389D3DE54B5256B44B7D55010C28370F48E4E6
                                                            Malicious:false
                                                            Preview:..[05:30:22]<<Program Manager>>....[05:30:22]<<Program Manager>>....[05:30:22]<<Program Manager>>....[05:30:22]<<Program Manager>>....[05:30:22]<<Program Manager>>....[05:30:22]<<Program Manager>>....[05:30:22]<<Program Manager>>....[05:30:23]<<Program Manager>>....[05:30:23]<<Program Manager>>....[05:30:23]<<Program Manager>>....[05:30:23]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataFUSZjHmZ.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.316550008558178
                                                            Encrypted:false
                                                            SSDEEP:12:t0SOpxOpxOpxOpxCxCxCxCxCxCxjfxjfx:tNEEEE888888t9
                                                            MD5:0A92C209AD52590556C30813AC76D914
                                                            SHA1:B3B7F9CA95607FEA2E49A51223FDF49C9D20B016
                                                            SHA-256:4386E3906854B8557DB77A9A0DF76555B4D415B6836E6C9897521A1B12A5C02A
                                                            SHA-512:90B3C0991D8CD1EDE5294954127002A4FDD23E3C82E78582D7F18DCC5CA5C6886680B03E1813976DB4B08E9267348F0100846F49EAD2FB2C9BF3BC9A6AE695D6
                                                            Malicious:false
                                                            Preview:..[05:30:39]<<Program Manager>>....[05:30:39]<<Program Manager>>....[05:30:39]<<Program Manager>>....[05:30:39]<<Program Manager>>....[05:30:40]<<Program Manager>>....[05:30:40]<<Program Manager>>....[05:30:40]<<Program Manager>>....[05:30:40]<<Program Manager>>....[05:30:40]<<Program Manager>>....[05:30:40]<<Program Manager>>....[05:30:41]<<Program Manager>>....[05:30:41]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataGsWkhXPa.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.2370575660986916
                                                            Encrypted:false
                                                            SSDEEP:6:t0SkZ2qkZ2qkZ2qkZ2qkZ2qkZ2qLdp2qLdp2qLdp2qLdp2qLdp2qLdpx:t0SKxKxKxKxKxKx7x7x7x7x7x7x
                                                            MD5:E3587F19BF101C7C33AFAE241C6B0B09
                                                            SHA1:43B51B02F18129EA0421E2AAA302B4B433B6F8C4
                                                            SHA-256:47E5765A19A0E58ECBCEC0694D479471AED55697C83D8CAFFEA0432491BC001E
                                                            SHA-512:B9E7C2F07ACCDCB777E8348C5CEAE3DAC3C96D18373FF584AEFFF726B89596E2FD02D80F5F5096FAEE093982DE7529A94168292DE8A7D1EA6DD97BAF07ED2C25
                                                            Malicious:false
                                                            Preview:..[05:30:04]<<Program Manager>>....[05:30:04]<<Program Manager>>....[05:30:04]<<Program Manager>>....[05:30:04]<<Program Manager>>....[05:30:04]<<Program Manager>>....[05:30:04]<<Program Manager>>....[05:30:05]<<Program Manager>>....[05:30:05]<<Program Manager>>....[05:30:05]<<Program Manager>>....[05:30:05]<<Program Manager>>....[05:30:05]<<Program Manager>>....[05:30:05]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataISIBMHvc.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.362098822605423
                                                            Encrypted:false
                                                            SSDEEP:6:t0S5Z2q5Z2q5Z2q5Z2q5Z2q5Z2qWZ2qWZ2qWZ2qWZ2qWZx:t0S5Zx5Zx5Zx5Zx5Zx5ZxWZxWZxWZxWy
                                                            MD5:C0AA6878396E6CFF11605CC659F7D208
                                                            SHA1:3AAF13E7E597C8075976D396F849D4CC316866EC
                                                            SHA-256:59E6DFF957260679CF2DEBDCC8FDDF5E0534C1C4E175571AECE77C715A9416E0
                                                            SHA-512:0EDB6F8601EBFB11065BFDDCE7B4BD67158A4FA604A241E94E50EB5B69F5711EDCB7CA4FD34E670BCD606D76B1001DBAF15DD35ED152E4A64AD6576EA650DCEA
                                                            Malicious:false
                                                            Preview:..[05:30:27]<<Program Manager>>....[05:30:27]<<Program Manager>>....[05:30:27]<<Program Manager>>....[05:30:27]<<Program Manager>>....[05:30:27]<<Program Manager>>....[05:30:27]<<Program Manager>>....[05:30:28]<<Program Manager>>....[05:30:28]<<Program Manager>>....[05:30:28]<<Program Manager>>....[05:30:28]<<Program Manager>>....[05:30:28]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataKChoLUgE.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.3114292424964615
                                                            Encrypted:false
                                                            SSDEEP:3:t0T/E4ir/E4ir/E4ir/E4irbKUE4irbKUE4irbKUE4irbKUE4irbKUE4irbKUE4J:t0r2z2z2z2Z2Z2Z2Z2Z2Z2Of2Ofx
                                                            MD5:A47A760DC2C4BD689DEDC4E92EBB89BE
                                                            SHA1:2472EB6C19E1F6E43A08F2F35DCDFC8AC102C90C
                                                            SHA-256:6FD396FA90A74A6871A3C028015124391EE3C31BFBF22E7B8BF09BF36DE5039A
                                                            SHA-512:3792FC862CDA52181C65F89CCE0880008C48A02B0CA2B3F0637B2BDB25F092EB41CAFD6298B2E29423E8D3A8C02888697C84B75944A9B3E0AECE8F9EC6EC17E6
                                                            Malicious:false
                                                            Preview:..[05:31:09]<<Program Manager>>....[05:31:09]<<Program Manager>>....[05:31:09]<<Program Manager>>....[05:31:09]<<Program Manager>>....[05:31:10]<<Program Manager>>....[05:31:10]<<Program Manager>>....[05:31:10]<<Program Manager>>....[05:31:10]<<Program Manager>>....[05:31:10]<<Program Manager>>....[05:31:10]<<Program Manager>>....[05:31:11]<<Program Manager>>....[05:31:11]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataMQlttXNj.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.27241143636508
                                                            Encrypted:false
                                                            SSDEEP:6:t0SLdp2q6Z2q6Z2q6Z2q6Z2q6Z2q6Z2q6Z2qNZZf2qNZZf2qNZZfx:t0S7xgxgxgxgxgxgxgxLZfxLZfxLZfx
                                                            MD5:A32E9709B988D3DC2498C91597E48CF5
                                                            SHA1:E7D1DB36F1A6B0F9E375386CA00796888331352B
                                                            SHA-256:16E0F6295BD680038DCB45E24BE4792CAB46CCFC9F19AC7832720A99A954A79A
                                                            SHA-512:8F4C0D4A174D54B9042DF385146892F516F6AD6C7D0FB7E3D5B7A570D0272EE387C0C818E52A1689D76B9FF40EAD9FF727D0B4F25F017960DEC6F1E54E609074
                                                            Malicious:false
                                                            Preview:..[05:30:05]<<Program Manager>>....[05:30:06]<<Program Manager>>....[05:30:06]<<Program Manager>>....[05:30:06]<<Program Manager>>....[05:30:06]<<Program Manager>>....[05:30:06]<<Program Manager>>....[05:30:06]<<Program Manager>>....[05:30:06]<<Program Manager>>....[05:30:07]<<Program Manager>>....[05:30:07]<<Program Manager>>....[05:30:07]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataMmCIdyxm.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.253616655308375
                                                            Encrypted:false
                                                            SSDEEP:6:t0SR2qR2qR2qR2qGf2qGf2qGf2qGf2qGf2qGf2qvx:t0SRxRxRxRxGfxGfxGfxGfxGfxGfxvx
                                                            MD5:E3DD31DCF366B4A95A9F318B7B9218AF
                                                            SHA1:34984235CF4119B429B56B1DEA0F74E73E7E82F0
                                                            SHA-256:2BDCBA20AE214AEF57ACC2A063395651D908C1AE97D66419788A1E88A715FC46
                                                            SHA-512:3456FF8A6BD6B9685A3DBA871016F6CC65490E971CFF2B4AACE8B2F536232E749799212670655F19E4AD08A030C7F2CF557F2EB7ED700F536E7003FF686B2487
                                                            Malicious:false
                                                            Preview:..[05:30:32]<<Program Manager>>....[05:30:32]<<Program Manager>>....[05:30:32]<<Program Manager>>....[05:30:32]<<Program Manager>>....[05:30:33]<<Program Manager>>....[05:30:33]<<Program Manager>>....[05:30:33]<<Program Manager>>....[05:30:33]<<Program Manager>>....[05:30:33]<<Program Manager>>....[05:30:33]<<Program Manager>>....[05:30:34]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataOkriMQol.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.328176770215666
                                                            Encrypted:false
                                                            SSDEEP:6:t0oZ2wZ2wZ2wZ2lp2lp2lp2lp2lp2lp2GZx:t0efffOOOOOO9x
                                                            MD5:0F9500B92867887FC74865F4218F1A04
                                                            SHA1:0FC78F88CB8E49BD8868D0911FF34239228C5B7F
                                                            SHA-256:C06B1E5EA4F77B188423BD6560A59C94F26A53A622C7D358B9B93B22B86A4332
                                                            SHA-512:DD73FD6E06C903D69643A0283D82567A520DB7E848A55B886E2A3914BBA46552EF440B78C72B9A76D6ECCF43588D99967596A9904F814074580D218966374D06
                                                            Malicious:false
                                                            Preview:..[05:31:04]<<Program Manager>>....[05:31:04]<<Program Manager>>....[05:31:04]<<Program Manager>>....[05:31:04]<<Program Manager>>....[05:31:05]<<Program Manager>>....[05:31:05]<<Program Manager>>....[05:31:05]<<Program Manager>>....[05:31:05]<<Program Manager>>....[05:31:05]<<Program Manager>>....[05:31:05]<<Program Manager>>....[05:31:06]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataPrAZkwrp.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.23632874610428
                                                            Encrypted:false
                                                            SSDEEP:6:t0SB2qB2qB2qB2qB2qB2qB2qI2qI2qI2qIx:t0SBxBxBxBxBxBxBxIxIxIxIx
                                                            MD5:1B3B6FC27DC08CEF8F86D6C51FF0811E
                                                            SHA1:41583C4C2100F2D627B6239DB37D23DA662E269E
                                                            SHA-256:D4C725E20EE960A91AC88EBB6FCB5F21164F09DBA7A16C885F7C29B1AB2DFB1A
                                                            SHA-512:0BA2BD00EF460E61DC3E385A25DFEBBF9E2C60E00F5E74ABB478763998D8A539B676C8C6CB8DAA655586AFEFB147B230674FB7FF0837DD4E69A8EF0CCE9A48D0
                                                            Malicious:false
                                                            Preview:..[05:30:50]<<Program Manager>>....[05:30:50]<<Program Manager>>....[05:30:50]<<Program Manager>>....[05:30:50]<<Program Manager>>....[05:30:50]<<Program Manager>>....[05:30:50]<<Program Manager>>....[05:30:50]<<Program Manager>>....[05:30:51]<<Program Manager>>....[05:30:51]<<Program Manager>>....[05:30:51]<<Program Manager>>....[05:30:51]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQIppfjMl.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.362098822605423
                                                            Encrypted:false
                                                            SSDEEP:6:t0Sjdp2qjdp2qjdp2qjdp2qjdp2qjdp2qCZ2qCZ2qCZ2qCZ2qCZx:t0Sjfxjfxjfxjfxjfxjfx4x4x4x4x4x
                                                            MD5:91B427C43A5838F35C9EDB229D6534E0
                                                            SHA1:74DFD7DB6302F989DD3599E3C039A60C3B05D14C
                                                            SHA-256:D92DCCBEBA0938377556CB7B47936EA1FD2CF3502A073A61C6784B207B9187CD
                                                            SHA-512:D8ED6911D22FBBAD9059FC4F504CFAFAC441F794FD4C9C8D8B2CE1F3EADDE6FA3FA2E17279DAD96403DDF3BFCC44AD56BC0E79631F8C119060F6B85A5DE7CCE1
                                                            Malicious:false
                                                            Preview:..[05:30:41]<<Program Manager>>....[05:30:41]<<Program Manager>>....[05:30:41]<<Program Manager>>....[05:30:41]<<Program Manager>>....[05:30:41]<<Program Manager>>....[05:30:41]<<Program Manager>>....[05:30:42]<<Program Manager>>....[05:30:42]<<Program Manager>>....[05:30:42]<<Program Manager>>....[05:30:42]<<Program Manager>>....[05:30:42]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataQOFChUkf.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.25993294495213
                                                            Encrypted:false
                                                            SSDEEP:6:t0Sv2qv2qv2qv2qv2qv2qgf2qgf2qgf2qgf2qgf2qgfx:t0Svxvxvxvxvxvxexexexexexex
                                                            MD5:D7949E5B9528E999071212CCEB61CA3E
                                                            SHA1:20C9D4EB7DD609C159FC37E9AA62B1D1ECF846BC
                                                            SHA-256:F2DEC77353102180328ECABDC4992177390CF9F4FAF87CEA4E2F14954D96575B
                                                            SHA-512:65903CC2BBA76AB6881B8C41702B4969F69451D41CC8BD10A0C2FBC3C74C46C6791367C1D16DFF61811B836777130DFCA97F01E10A030783DDB43F43715A6C3E
                                                            Malicious:false
                                                            Preview:..[05:30:34]<<Program Manager>>....[05:30:34]<<Program Manager>>....[05:30:34]<<Program Manager>>....[05:30:34]<<Program Manager>>....[05:30:34]<<Program Manager>>....[05:30:34]<<Program Manager>>....[05:30:35]<<Program Manager>>....[05:30:35]<<Program Manager>>....[05:30:35]<<Program Manager>>....[05:30:35]<<Program Manager>>....[05:30:35]<<Program Manager>>....[05:30:35]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataRijzbbxq.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.307252879770127
                                                            Encrypted:false
                                                            SSDEEP:6:t0i2a2a2b1Z2b1Z2b1Z2b1Z2b1Z2w2w2w2wx:t0iDDEfEfEfEfEfBBBBx
                                                            MD5:DFD15260A31E6FD91889A8B92788AB20
                                                            SHA1:F0DA9652C91F65496D3E1891C887A08009D6421D
                                                            SHA-256:AC27235C2B2CA81CE5E933D452D57A6C6DCA679CB0F5BA4404F721E49EFF8B7B
                                                            SHA-512:86A32B108E770DA0D4A2B131B34EEE775E3D60AD465EE813C1D16D709A079AF2418DFBE269869960D16474D8F85057ABA7611672EF42E406D57C9C762E5173EA
                                                            Malicious:false
                                                            Preview:..[05:31:00]<<Program Manager>>....[05:31:00]<<Program Manager>>....[05:31:00]<<Program Manager>>....[05:31:01]<<Program Manager>>....[05:31:01]<<Program Manager>>....[05:31:01]<<Program Manager>>....[05:31:01]<<Program Manager>>....[05:31:01]<<Program Manager>>....[05:31:02]<<Program Manager>>....[05:31:02]<<Program Manager>>....[05:31:02]<<Program Manager>>....[05:31:02]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataRvEPRFMu.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.245338566789945
                                                            Encrypted:false
                                                            SSDEEP:6:t0SkN2qkN2qkN2qkN2qdZ2qdZ2qdZ2qdZ2qdZ2qdZ2qM2qMx:t0Smxmxmxmx3x3x3x3x3x3xMxMx
                                                            MD5:6D458DFB928ECB0E5EA1F889EA15F74F
                                                            SHA1:181620D2A28816EEC68F3951A8DFA36DF5B4BC54
                                                            SHA-256:5941D709F7447941476D85A1C8EB4DA3AFEE724955928916E961599100E0AC05
                                                            SHA-512:60676AFFF3C04ADFF98E826F7210B9F155FB7DF2C06FD65A76FA9BF6AFFCD7E3A0F0497B89333A6D39C9DEC2FCE44588B111343EF539102650458121E0130923
                                                            Malicious:false
                                                            Preview:..[05:30:00]<<Program Manager>>....[05:30:00]<<Program Manager>>....[05:30:00]<<Program Manager>>....[05:30:00]<<Program Manager>>....[05:30:01]<<Program Manager>>....[05:30:01]<<Program Manager>>....[05:30:01]<<Program Manager>>....[05:30:01]<<Program Manager>>....[05:30:01]<<Program Manager>>....[05:30:01]<<Program Manager>>....[05:30:02]<<Program Manager>>....[05:30:02]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataTHceNsVF.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.25993294495213
                                                            Encrypted:false
                                                            SSDEEP:12:t0Scfxcfxcfxcfxcfxcfx9x9x9x9x9x9x:tNc5c5c5c5c5c5/////f
                                                            MD5:CE42A281F1D14F1C96F6879B9BC5F77C
                                                            SHA1:5CE096590768C03BB63951A2BA25D434E6BDE886
                                                            SHA-256:C9FCB05AD1DFA5B092F5058D646536E808B77FDAC52C76A47B04B33D3D3A6105
                                                            SHA-512:FA601AA744D5CBD9DC30AD809C5E2C5B9636AE1A645538CE4867D54ACBEC6F1FA864FF4552267D14677E61DFECC9127549C579F2D647AFB93EFDBCC6A1C2E672
                                                            Malicious:false
                                                            Preview:..[05:30:53]<<Program Manager>>....[05:30:53]<<Program Manager>>....[05:30:53]<<Program Manager>>....[05:30:53]<<Program Manager>>....[05:30:53]<<Program Manager>>....[05:30:53]<<Program Manager>>....[05:30:54]<<Program Manager>>....[05:30:54]<<Program Manager>>....[05:30:54]<<Program Manager>>....[05:30:54]<<Program Manager>>....[05:30:54]<<Program Manager>>....[05:30:54]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataUJDCxaHw.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.2498667572763305
                                                            Encrypted:false
                                                            SSDEEP:6:t0SM2qM2qM2qM2qM2qB1Xp2qB1Xp2qB1Xp2qB1Xp2qB1Xp2qkZx:t0SMxMxMxMxMxLpxLpxLpxLpxLpxKx
                                                            MD5:899A8A8C79A23E654B9459719CD1FBC9
                                                            SHA1:C37952C5DB7A0F70FD7FAA089B57277CB4CFD047
                                                            SHA-256:F8C55FE64B14955A7D292CA773E262ED5C13179BB7BFCC9F4239C014FFF638D7
                                                            SHA-512:7C1176B80C800F266B1DEAB6272D083A17D09A2B0058ED958A6850788536730CDE608E5D676BBBCAFA262BFFD7E8F7C168DB8D1F101C8D5A1580B16C4E5145F4
                                                            Malicious:false
                                                            Preview:..[05:30:02]<<Program Manager>>....[05:30:02]<<Program Manager>>....[05:30:02]<<Program Manager>>....[05:30:02]<<Program Manager>>....[05:30:02]<<Program Manager>>....[05:30:03]<<Program Manager>>....[05:30:03]<<Program Manager>>....[05:30:03]<<Program Manager>>....[05:30:03]<<Program Manager>>....[05:30:03]<<Program Manager>>....[05:30:04]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataVfLQtXHS.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.310680567856233
                                                            Encrypted:false
                                                            SSDEEP:6:t0oCp2wCp2wCp2wCp2wCp2Uf2Uf2Uf2Uf2Uf2Ufx:t0vpIpIpIpIpPPPPPPx
                                                            MD5:931DFDF656AE3EAA6A1E8C01612B30F5
                                                            SHA1:ACA246A420BF4E5CDA42E740CC9968905A036DC7
                                                            SHA-256:1C942E406E50EB5E4A0B64AD8900ADD59F907B11EE164C58295914F24858895F
                                                            SHA-512:CB1CB1583B2E2C5493A24F012328E06422346787118657B3497FB47F3DA7773A956162B822AA2BEA0AA4D465BB64F2335D3D9A0DB59BFCBB0DA47997B1669192
                                                            Malicious:false
                                                            Preview:..[05:29:55]<<Program Manager>>....[05:29:55]<<Program Manager>>....[05:29:55]<<Program Manager>>....[05:29:55]<<Program Manager>>....[05:29:55]<<Program Manager>>....[05:29:56]<<Program Manager>>....[05:29:56]<<Program Manager>>....[05:29:56]<<Program Manager>>....[05:29:56]<<Program Manager>>....[05:29:56]<<Program Manager>>....[05:29:56]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataVrtGDMwf.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.331606832193178
                                                            Encrypted:false
                                                            SSDEEP:6:t0Y2w2dn1Xp2dn1Xp2dn1Xp2dn1Xp2dn1Xp2dn1Xp2wZ2wZ2wZx:t0YBkpkpkpkpkpkpfffx
                                                            MD5:838769142D95D4DBE6EEA8AD286D03B2
                                                            SHA1:2B234AAC5F157EB542C9E8BF3AA966C9E703427C
                                                            SHA-256:11BFC29AFDFB737F9FE106EE39F1304F4EBFF56BB7DA3CD9603EE2F750DFA79B
                                                            SHA-512:302E6459A8BB26623B30EA6314740DCEC5953A2A9BBE507743A9B6732A095C91C69C1130D8870FBF9C80D0686E0D0C5ECC4191AC1EFC569BFD2739DA3EDBE86B
                                                            Malicious:false
                                                            Preview:..[05:31:02]<<Program Manager>>....[05:31:02]<<Program Manager>>....[05:31:03]<<Program Manager>>....[05:31:03]<<Program Manager>>....[05:31:03]<<Program Manager>>....[05:31:03]<<Program Manager>>....[05:31:03]<<Program Manager>>....[05:31:03]<<Program Manager>>....[05:31:04]<<Program Manager>>....[05:31:04]<<Program Manager>>....[05:31:04]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataYJSXxvhF.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.310680567856233
                                                            Encrypted:false
                                                            SSDEEP:6:t0SU2qU2qU2qU2qU2qXZf2qXZf2qXZf2qXZf2qXZf2qXZfx:t0SUxUxUxUxUx9x9x9x9x9x9x
                                                            MD5:0A5969F6CA3DC2B55A017CE751710E1D
                                                            SHA1:30E68FEF46A0D71292EB66E90F36E77DB66A3071
                                                            SHA-256:BB40E9CAC5E61DCD839CC6F5DF09B6C994124E94DD93EAF9B69E0E1BF1A21005
                                                            SHA-512:1926F5356EA9B2470DC0F4FB4A80DE840E50F260071A096E720E28D4CE5708D11981219F9A9BF2E9EA7451DAD1CAE7B425C4E221B15137D05732330655C4B568
                                                            Malicious:false
                                                            Preview:..[05:30:20]<<Program Manager>>....[05:30:20]<<Program Manager>>....[05:30:20]<<Program Manager>>....[05:30:20]<<Program Manager>>....[05:30:20]<<Program Manager>>....[05:30:21]<<Program Manager>>....[05:30:21]<<Program Manager>>....[05:30:21]<<Program Manager>>....[05:30:21]<<Program Manager>>....[05:30:21]<<Program Manager>>....[05:30:21]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataZwACwHFD.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):6594
                                                            Entropy (8bit):4.506519472849213
                                                            Encrypted:false
                                                            SSDEEP:48:ZO///////YYYYYYYNXNXNXNXNXNXNXiiiiiiizzzzzzNqqqqqqqqjjjjjj9ZZZZF:H999999oZZZZZZsqqUUUUI
                                                            MD5:88C72AACBDDFB71EB0888963EC5E9073
                                                            SHA1:1E1A4699E720F3754877495B788E69A6C73CF342
                                                            SHA-256:681EC2156A2E9477F1F9774F5EE6B24E9BB873839C6B40B4EB0BD22CC4F19488
                                                            SHA-512:917AC285166361F3D603F45F46E293495D5E9B004BF70A1C5FDA5EA051049F940A8AF7F72E4C26DA0ADE27131DBA0DF0940B851B35FCE81E923CDDA1B76E19C5
                                                            Malicious:false
                                                            Preview:..[05:29:08]<<Program Manager>>....[05:29:08]<<Program Manager>>....[05:29:08]<<Program Manager>>....[05:29:08]<<Program Manager>>....[05:29:09]<<Program Manager>>....[05:29:09]<<Program Manager>>....[05:29:09]<<Program Manager>>....[05:29:09]<<Program Manager>>....[05:29:22]<<Program Manager>>....[05:29:23]<<Program Manager>>....[05:29:23]<<Program Manager>>....[05:29:23]<<Program Manager>>....[05:29:23]<<Program Manager>>....[05:29:23]<<Program Manager>>....[05:29:23]<<Program Manager>>....[05:29:23]<<Program Manager>>....[05:29:24]<<Program Manager>>....[05:29:24]<<Program Manager>>....[05:29:24]<<Program Manager>>....[05:29:24]<<Program Manager>>....[05:29:24]<<Program Manager>>....[05:29:24]<<Program Manager>>....[05:29:24]<<Program Manager>>....[05:29:25]<<Program Manager>>....[05:29:25]<<Program Manager>>....[05:29:25]<<Program Manager>>....[05:29:25]<<Program Manager>>....[05:29:25]<<Program Manager>>....[05:29:25]<<Program Manager>>....[05:29:25]<<Program Manager>>....[05:29:2

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataaddZiUeO.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.32806940258175
                                                            Encrypted:false
                                                            SSDEEP:12:t0SndpxndpxONxONxONxONxONxONxONxONx/Zx/Zx:tNdLdLOvOvOvOvOvOvOvOvTj
                                                            MD5:BF7880AF7E5F8ABE6B7A24C171001AA5
                                                            SHA1:A9439BA3D7ED8B856D956069B41707D825521D96
                                                            SHA-256:50DE930013403A1654D81CC8F0F848FEAD8D5F80FC4C71C4FC0A842E4B2C09C6
                                                            SHA-512:48EF7CD41DB00F48EB775C46F504A69346AA730251114AF4815FAB8B0205DEA19A1A090628D09A7411915DEC47FFECE1D2DABA866C19BD5BF3A2D9EFF2489F87
                                                            Malicious:false
                                                            Preview:..[05:30:23]<<Program Manager>>....[05:30:23]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:24]<<Program Manager>>....[05:30:25]<<Program Manager>>....[05:30:25]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataakkZbIPL.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.309425100703304
                                                            Encrypted:false
                                                            SSDEEP:6:t0S+2q+2qXZN2qXZN2qXZN2qXZN2qXZN2qXZN2qiN2qiN2qiNx:t0S+x+xXZNxXZNxXZNxXZNxXZNxXZNxg
                                                            MD5:22B495DAEE049E2E5EC7200CE1537CBC
                                                            SHA1:65543801B6CB789EF6BD996F34DEA8266153BED0
                                                            SHA-256:F9A8EEA30EE68350B9A8A2A77C6E66137F9C09EE7EE38B1B2DFD6B2938A3E208
                                                            SHA-512:5D9D49CC1A44C9DBBB4663F40E9A86B4ADEABD3D5C207F6488C3535B9B4D5BD2ED931364D8FD080156BAD5A6903C797019E115FA7897E66FCB5311910EAA246F
                                                            Malicious:false
                                                            Preview:..[05:30:44]<<Program Manager>>....[05:30:44]<<Program Manager>>....[05:30:45]<<Program Manager>>....[05:30:45]<<Program Manager>>....[05:30:45]<<Program Manager>>....[05:30:45]<<Program Manager>>....[05:30:45]<<Program Manager>>....[05:30:45]<<Program Manager>>....[05:30:46]<<Program Manager>>....[05:30:46]<<Program Manager>>....[05:30:46]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatacUOurcvr.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.326102677403857
                                                            Encrypted:false
                                                            SSDEEP:6:t082028W28W28W28W28W28W28W2qkN2qkNx:t08Jwwwwwwwxmxmx
                                                            MD5:4A70D13478CE6C248214F1A6AC89E13C
                                                            SHA1:7E4111963427D4E9FDCC3D5F3D25304A1BF9D209
                                                            SHA-256:6E4540765882F003D3A6EAB2F190964BA520FD8BBA53B248C930C2219A36ED85
                                                            SHA-512:6C3003048975E8B31D70C26D8680CA97BCE2FC5AED2BAD05B6711653BCCCCDB0E0BCA2B740D12F89A5D13A1C0740CD255C14E66D3BFD3A130B570F55121F81D9
                                                            Malicious:false
                                                            Preview:..[05:29:58]<<Program Manager>>....[05:29:58]<<Program Manager>>....[05:29:59]<<Program Manager>>....[05:29:59]<<Program Manager>>....[05:29:59]<<Program Manager>>....[05:29:59]<<Program Manager>>....[05:29:59]<<Program Manager>>....[05:29:59]<<Program Manager>>....[05:29:59]<<Program Manager>>....[05:30:00]<<Program Manager>>....[05:30:00]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagPlbcKPT.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.355488717275795
                                                            Encrypted:false
                                                            SSDEEP:6:t0uAdp22Adp22Adp22Adp2mN2mN2mN2mN2mN2mN2mN2wCpx:t0uWLWLWLWHNHNHNHNHNHNHNIpx
                                                            MD5:348E0F79FAE4B6323682978E87E7737D
                                                            SHA1:D3C5B8ACC8F2722A7039D2D1CEB4F40FFB936962
                                                            SHA-256:AE7331987115DAE940D7DE60F64DA66204F0F607377D9D8B10173E42DE9F4C08
                                                            SHA-512:62932DDC77FB6961A442852805C894A87951FE50C5EDC0566E069EA1C86890B7A5A4491B21A0D4AB5D8F31CB37597AA3D76FB353D2D256080D72D6DF72BA99EC
                                                            Malicious:false
                                                            Preview:..[05:29:53]<<Program Manager>>....[05:29:53]<<Program Manager>>....[05:29:53]<<Program Manager>>....[05:29:53]<<Program Manager>>....[05:29:54]<<Program Manager>>....[05:29:54]<<Program Manager>>....[05:29:54]<<Program Manager>>....[05:29:54]<<Program Manager>>....[05:29:54]<<Program Manager>>....[05:29:54]<<Program Manager>>....[05:29:54]<<Program Manager>>....[05:29:55]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatagTihpzgf.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.360633067851595
                                                            Encrypted:false
                                                            SSDEEP:3:t0PS4fE4iHS4fE4iHS4fE4iHS4fE4iHS4fE4iHS4fE4iHS4fE4iHdCpE4iHdCpE8:t0qW2yW2yW2yW2yW2yW2yW20202020x
                                                            MD5:AA8AC8D2CA249A4A04D77E1CCA2F8143
                                                            SHA1:2101009619192AA014BE6690783112270A6A6A18
                                                            SHA-256:290168C15328C49347CB3C3DBF357910D39B48912BF304B3403EB248265761CA
                                                            SHA-512:6DEAC13B47A6CB9ADD67341204AA1662957EB918509F19D5F4C87E67DC9292B853D5A84231F0CD29D4030159E6EC5924F9FD1EAAC353734527D9D9D19EBA53EB
                                                            Malicious:false
                                                            Preview:..[05:29:57]<<Program Manager>>....[05:29:57]<<Program Manager>>....[05:29:57]<<Program Manager>>....[05:29:57]<<Program Manager>>....[05:29:57]<<Program Manager>>....[05:29:57]<<Program Manager>>....[05:29:57]<<Program Manager>>....[05:29:58]<<Program Manager>>....[05:29:58]<<Program Manager>>....[05:29:58]<<Program Manager>>....[05:29:58]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatahDXtWHIF.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.301063627004642
                                                            Encrypted:false
                                                            SSDEEP:12:t0SQfxQfxQfxQfxQfxQfxQfxZxZxZxZxZx:tN4444444bbbbL
                                                            MD5:0CD441410AFE2708D59BB5AAB804EC17
                                                            SHA1:CEF9CF3FB6C8BF2A87074A37A1595370982C9239
                                                            SHA-256:78A24A3C11E3B1C1322593488466374F28B7B16551820979FA30DFF1DA2685F9
                                                            SHA-512:ACFC817E31E5BA7FF6669469DB396EF43DA4B5EF914633D5DFD3DE2AA04406FA78DC039BEDA74944936F6549515DEC77CBE58F6D9AF3058864A7262013567202
                                                            Malicious:false
                                                            Preview:..[05:30:57]<<Program Manager>>....[05:30:57]<<Program Manager>>....[05:30:57]<<Program Manager>>....[05:30:57]<<Program Manager>>....[05:30:57]<<Program Manager>>....[05:30:57]<<Program Manager>>....[05:30:57]<<Program Manager>>....[05:30:58]<<Program Manager>>....[05:30:58]<<Program Manager>>....[05:30:58]<<Program Manager>>....[05:30:58]<<Program Manager>>....[05:30:58]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataiUKSsPPq.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.362098822605423
                                                            Encrypted:false
                                                            SSDEEP:6:t0SQN2qQN2qQN2qQN2qQN2qQN2q7n1Z2q7n1Z2q7n1Z2q7n1Z2q7n1Zx:t0Saxaxaxaxaxax7fx7fx7fx7fx7fx
                                                            MD5:2061D8097DCCC8A6838ABDB489034C55
                                                            SHA1:59352FB6A947D828B63391C9E1849A334CFA3EA8
                                                            SHA-256:DD5C0E400B5E99F822715FAE0B1A6AB1C6E8197BA91B73E3DEC878DCF082639A
                                                            SHA-512:F01BE1F4BACD6C7E73C0B73FB9C7DC3AF0FE29718355FFD432CDBADA4D0C33819FEB62739C00EAC91F2952ED62704D524B39755C25E2E63AECF0C1ECDC07EE3B
                                                            Malicious:false
                                                            Preview:..[05:30:48]<<Program Manager>>....[05:30:48]<<Program Manager>>....[05:30:48]<<Program Manager>>....[05:30:48]<<Program Manager>>....[05:30:48]<<Program Manager>>....[05:30:48]<<Program Manager>>....[05:30:49]<<Program Manager>>....[05:30:49]<<Program Manager>>....[05:30:49]<<Program Manager>>....[05:30:49]<<Program Manager>>....[05:30:49]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatajtFYBWIb.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.370784941334028
                                                            Encrypted:false
                                                            SSDEEP:3:t0TNfE4irsjpE4irsjpE4irsjpE4irsjpE4irsjpE4irsjpE4irsjpE4ir/E4irP:t0Zf2C2C2C2C2C2C2C2z2z2z2zx
                                                            MD5:2E0D9C02D2DA5B02C3733C403FBA8B54
                                                            SHA1:A41378A6A9D63238A1819FA951F5A330EF03A358
                                                            SHA-256:9DBE2436C35196138C31BFA828036B40B0A76D32AA82D1FBE89EC7BCE70020CC
                                                            SHA-512:FB4A6A5227C97E28D2EB8057DFDBD2F0ABF70670CE4CF2191B164F96C6120C6FC05010EBEEEB82468DAE70E24B579BB1EED0D434D90ED747B9C15847CFF48783
                                                            Malicious:false
                                                            Preview:..[05:31:07]<<Program Manager>>....[05:31:08]<<Program Manager>>....[05:31:08]<<Program Manager>>....[05:31:08]<<Program Manager>>....[05:31:08]<<Program Manager>>....[05:31:08]<<Program Manager>>....[05:31:08]<<Program Manager>>....[05:31:08]<<Program Manager>>....[05:31:09]<<Program Manager>>....[05:31:09]<<Program Manager>>....[05:31:09]<<Program Manager>>....[05:31:09]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatamKqXjagA.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.3123865710826355
                                                            Encrypted:false
                                                            SSDEEP:6:t0S22q22q22q22q22q22q22qJ2qJ2qJ2qJ2q+fx:t0S2x2x2x2x2x2x2xJxJxJxJxwx
                                                            MD5:8BBBA66947FA5A5AE6545C256C3CBDA0
                                                            SHA1:CB1913AC73D33006B61658FC8B9D68807C325D8D
                                                            SHA-256:A0FB85FB3A84D7AB62F0A67DD7BDDABF3247988DBD58E38DEACF770F7BC57E84
                                                            SHA-512:8594CBB9B5EAB4CDFD2C4CC0A81504404DEA7CF37A091741C467CAF2205473AC610981ACAC5986F6082314157BB9F61E82A810295696B683DB05BFBCC4236160
                                                            Malicious:false
                                                            Preview:..[05:30:13]<<Program Manager>>....[05:30:13]<<Program Manager>>....[05:30:13]<<Program Manager>>....[05:30:13]<<Program Manager>>....[05:30:13]<<Program Manager>>....[05:30:13]<<Program Manager>>....[05:30:13]<<Program Manager>>....[05:30:14]<<Program Manager>>....[05:30:14]<<Program Manager>>....[05:30:14]<<Program Manager>>....[05:30:14]<<Program Manager>>....[05:30:15]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatamjmXVLtG.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.292685005639719
                                                            Encrypted:false
                                                            SSDEEP:6:t0SI2qI2qI2qD2qD2qD2qD2qD2qD2qcdp2qcdpx:t0SIxIxIxDxDxDxDxDxDxcfxcfx
                                                            MD5:4156B50EF8908C50B1B6DF0F1F8D570D
                                                            SHA1:7B1E5A0D5A5334D3668E7F15A25E2000AE1C1FBC
                                                            SHA-256:19AE80189833848A19746003C2B15828CF3151F4DA4781CEA3526FACBF365846
                                                            SHA-512:435B4A5572B13E3A101C9B3ED602FE9303C9CA937A8CBB35CDF2F703F78137649A43FDC5DC74B850C38618A3803D9F8E749850B4332CA16BBFAEE3B28735CAFD
                                                            Malicious:false
                                                            Preview:..[05:30:51]<<Program Manager>>....[05:30:51]<<Program Manager>>....[05:30:51]<<Program Manager>>....[05:30:52]<<Program Manager>>....[05:30:52]<<Program Manager>>....[05:30:52]<<Program Manager>>....[05:30:52]<<Program Manager>>....[05:30:52]<<Program Manager>>....[05:30:52]<<Program Manager>>....[05:30:53]<<Program Manager>>....[05:30:53]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatangwpWqBp.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.373929164813413
                                                            Encrypted:false
                                                            SSDEEP:12:t0SLxLxMfxMfxMfxMfxMfxMfxMfxtxtxtx:tN11kkkkkkkPPv
                                                            MD5:EAD9BB46A92884B12ED7D364F269A9EA
                                                            SHA1:48414F83DFEC3C5231174F3FF5BBE95072564835
                                                            SHA-256:FB876913F8147C54520AB8C6A97A49C73A82F991D33F5F926A810D1ACE8EBD65
                                                            SHA-512:51A865B13B199331EADE2F6D2013E51A28F4B53A8D2822E029BF376383964CCA7D5735AC1E0E97F5EF9349BCB779F7EC9447E99F54B81549AB670FD389DBCF29
                                                            Malicious:false
                                                            Preview:..[05:30:16]<<Program Manager>>....[05:30:16]<<Program Manager>>....[05:30:17]<<Program Manager>>....[05:30:17]<<Program Manager>>....[05:30:17]<<Program Manager>>....[05:30:17]<<Program Manager>>....[05:30:17]<<Program Manager>>....[05:30:17]<<Program Manager>>....[05:30:17]<<Program Manager>>....[05:30:18]<<Program Manager>>....[05:30:18]<<Program Manager>>....[05:30:18]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatapGmcjeKt.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.282982180439569
                                                            Encrypted:false
                                                            SSDEEP:6:t0S5N2q5N2q5N2q5N2qF2qF2qF2qF2qF2qF2qcx:t0S5Nx5Nx5Nx5NxFxFxFxFxFxFxcx
                                                            MD5:4A28DA68FF4120B748E53B26E87688B7
                                                            SHA1:C62403D65E9F4E908137C6C78B3FAAF9CD05A5F9
                                                            SHA-256:62274D53A579F5B831D8DBC38ED5BCFBEE06CD692CDFBED9CA2CEDFE6BCA6AC8
                                                            SHA-512:9AF42A2A1B337E5E29103C994412ECB9C0A5D6AFE9D878969F71458B80104AC3B59F3A0D57A3813428D6A1A7DB4C9126A45A1DE05456DA14DFCA0362D942DC5E
                                                            Malicious:false
                                                            Preview:..[05:30:09]<<Program Manager>>....[05:30:09]<<Program Manager>>....[05:30:09]<<Program Manager>>....[05:30:09]<<Program Manager>>....[05:30:10]<<Program Manager>>....[05:30:10]<<Program Manager>>....[05:30:10]<<Program Manager>>....[05:30:10]<<Program Manager>>....[05:30:10]<<Program Manager>>....[05:30:10]<<Program Manager>>....[05:30:11]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatasWOfgWdx.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.278255577780892
                                                            Encrypted:false
                                                            SSDEEP:6:t0SjN2qjN2qjN2qjN2qjN2qjN2qjN2q+2q+2q+2q+x:t0SjNxjNxjNxjNxjNxjNxjNx+x+x+x+x
                                                            MD5:2199332BEA7FCA40C7873B21D870EC8E
                                                            SHA1:4A8360DD3A2E6A07C8BAD6CBD1488DE0F9EDC22D
                                                            SHA-256:29F6A904409FBA25A574A76BD454230CFCE2357082DAFBE708DE62219883666B
                                                            SHA-512:98C720F8F4C9A20A8288E6B603BEA8F51EB2A9DBC87F4BCE2E6F3E618890251930348D8028782C89ED2309F4FDEDDB2AA167A7DA8CB7FB518BD34116AA44EE2F
                                                            Malicious:false
                                                            Preview:..[05:30:43]<<Program Manager>>....[05:30:43]<<Program Manager>>....[05:30:43]<<Program Manager>>....[05:30:43]<<Program Manager>>....[05:30:43]<<Program Manager>>....[05:30:43]<<Program Manager>>....[05:30:43]<<Program Manager>>....[05:30:44]<<Program Manager>>....[05:30:44]<<Program Manager>>....[05:30:44]<<Program Manager>>....[05:30:44]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatatLWWKhNx.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.362098822605423
                                                            Encrypted:false
                                                            SSDEEP:6:t0+Z2GZ2GZ2GZ2GZ2GZ2Rf2Rf2Rf2Rf2Rfx:t0k99999UUUUUx
                                                            MD5:AB5177683D393EDC14FAC2937CBCC963
                                                            SHA1:FFA8E720E57528E1C2045305987D44848021BF22
                                                            SHA-256:9A2C3ECB1632EB50ADED8EE654F20A40F9E81BF5C7D84F3C5328530C0D53EFF0
                                                            SHA-512:E19EE0C0F17B00D19530656DDA99373E7C03699292CC39E8B072C5A4D69420DF83D476ABE097CC297EDB4E1C66BE3D73721147A1CDF80026C24471CCC918FA01
                                                            Malicious:false
                                                            Preview:..[05:31:06]<<Program Manager>>....[05:31:06]<<Program Manager>>....[05:31:06]<<Program Manager>>....[05:31:06]<<Program Manager>>....[05:31:06]<<Program Manager>>....[05:31:06]<<Program Manager>>....[05:31:07]<<Program Manager>>....[05:31:07]<<Program Manager>>....[05:31:07]<<Program Manager>>....[05:31:07]<<Program Manager>>....[05:31:07]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatatWBDPZVd.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.300027007245535
                                                            Encrypted:false
                                                            SSDEEP:6:t0SN2qN2qN2qN2qN2qN2qN2qop2qop2qop2qopx:t0SNxNxNxNxNxNxNxkxkxkxkx
                                                            MD5:4D27997E4D2805C4BC08CEABE1B42A76
                                                            SHA1:012DAFAAFCD680FBEBB630610456C3027BF21DA1
                                                            SHA-256:B45DF72C2AE67DC6334706EAFC44B23D04582579FF025A1B2AB82A34BDAC25D6
                                                            SHA-512:88A7471501FB5E89B48852E8F290BA3629B9373F52A69071D5F8B0785706AF8BCDBDF50295197C411F2DA3BEBF51814F447A09F9E940467E7A5830156EE5DF8E
                                                            Malicious:false
                                                            Preview:..[05:30:36]<<Program Manager>>....[05:30:36]<<Program Manager>>....[05:30:36]<<Program Manager>>....[05:30:36]<<Program Manager>>....[05:30:36]<<Program Manager>>....[05:30:36]<<Program Manager>>....[05:30:36]<<Program Manager>>....[05:30:37]<<Program Manager>>....[05:30:37]<<Program Manager>>....[05:30:37]<<Program Manager>>....[05:30:37]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatatagjEEnD.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.33747080427297
                                                            Encrypted:false
                                                            SSDEEP:6:t0S/Xp2q/Xp2q/Xp2q/Xp2qS2qS2qS2qS2qS2qS2q5Zx:t0S/Zx/Zx/Zx/ZxSxSxSxSxSxSx5Zx
                                                            MD5:8137DB896AA7152FBCA82C1DBD939318
                                                            SHA1:4C069BBB313204D7CB4698140A92EC26EBF6877D
                                                            SHA-256:AB3FAED92FE98FC736E6A8C3002DB4365A179283E0E37C7B5441F1B1AA9AFE1A
                                                            SHA-512:BDDB92F950D11835E22EA6BE9B377508F3AF9C548109F481E5161243DBDEAE099A1EB6F4759F3E314D45B70BADE6C511AFB4C8556500CBFD2FE021C518BEC074
                                                            Malicious:false
                                                            Preview:..[05:30:25]<<Program Manager>>....[05:30:25]<<Program Manager>>....[05:30:25]<<Program Manager>>....[05:30:25]<<Program Manager>>....[05:30:26]<<Program Manager>>....[05:30:26]<<Program Manager>>....[05:30:26]<<Program Manager>>....[05:30:26]<<Program Manager>>....[05:30:26]<<Program Manager>>....[05:30:26]<<Program Manager>>....[05:30:27]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataudGJeilF.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.316825179833395
                                                            Encrypted:false
                                                            SSDEEP:6:t0Sop2qop2qop2qr2qr2qr2qr2qr2qr2qEdp2qEdp2qEdpx:t0SkxkxkxrxrxrxrxrxrxOpxOpxOpx
                                                            MD5:028AD476B2F03E06477CED3284E63E93
                                                            SHA1:41CF468D6F86E0845E830925F531D7EDCE1A1BD0
                                                            SHA-256:EFB93A2FD5B2C7F16123909CF439FC6EF446F68030DCAA9B54441D88F4F2C33D
                                                            SHA-512:1478EB2D81555010DCA1112AAC9A25C39849F932BDC3968028C6CBAC68EBBDEA09992BFF04A6DE21E358AF78B5B422E54BB85F080B9040E7AEEC7FC2C534B2F9
                                                            Malicious:false
                                                            Preview:..[05:30:37]<<Program Manager>>....[05:30:37]<<Program Manager>>....[05:30:37]<<Program Manager>>....[05:30:38]<<Program Manager>>....[05:30:38]<<Program Manager>>....[05:30:38]<<Program Manager>>....[05:30:38]<<Program Manager>>....[05:30:38]<<Program Manager>>....[05:30:38]<<Program Manager>>....[05:30:39]<<Program Manager>>....[05:30:39]<<Program Manager>>....[05:30:39]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatauxmCqTJs.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.3239977247102965
                                                            Encrypted:false
                                                            SSDEEP:6:t0SWZ2qV2qV2qV2qV2qV2qV2qV2qT2qT2qT2qTx:t0SWZxVxVxVxVxVxVxVxTxTxTxTx
                                                            MD5:3BB5F714DA63A1A966E4550402FBABA9
                                                            SHA1:FA3735D27CEAE56CF5863DF4B8101ADD19C464D1
                                                            SHA-256:D1A1B5223202FD86D372B3CD049C16C662D7DFEF0193728762AD30178283B2B3
                                                            SHA-512:EA4D517496F795E8B084A0D5EE34B1B49F3E30B9C35533D40DF258D50B9B8FC899C900E59356571604D84100376FC2C7C9D42325503E7926487D0C093B37EB65
                                                            Malicious:false
                                                            Preview:..[05:30:28]<<Program Manager>>....[05:30:29]<<Program Manager>>....[05:30:29]<<Program Manager>>....[05:30:29]<<Program Manager>>....[05:30:29]<<Program Manager>>....[05:30:29]<<Program Manager>>....[05:30:29]<<Program Manager>>....[05:30:29]<<Program Manager>>....[05:30:30]<<Program Manager>>....[05:30:30]<<Program Manager>>....[05:30:30]<<Program Manager>>....[05:30:30]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawILQtceu.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.290447725353914
                                                            Encrypted:false
                                                            SSDEEP:12:t0SLZfxLZfxLZfxuxuxuxuxuxuxux5Nx5Nx:tNLZ5LZ5LZ5YYYYYYYZZ
                                                            MD5:65D000E03B54723E30982B0325C7023E
                                                            SHA1:3B087FCF62C20A2C7DAE117150F9CC0CA0ED01BA
                                                            SHA-256:9745D988829E2199AB7CB27C102E553C0A88D16BC8363BCD4BB69D51E8A2B28B
                                                            SHA-512:AFD2AC7DB9ADEE350A2C6C7FAC5E95A7617C1282E920300B0BB5A5A44EC55357567562D4A2880F844681D9052EAA0B9963810EB72817751F3CDFDA470D0CEC4F
                                                            Malicious:false
                                                            Preview:..[05:30:07]<<Program Manager>>....[05:30:07]<<Program Manager>>....[05:30:07]<<Program Manager>>....[05:30:08]<<Program Manager>>....[05:30:08]<<Program Manager>>....[05:30:08]<<Program Manager>>....[05:30:08]<<Program Manager>>....[05:30:08]<<Program Manager>>....[05:30:08]<<Program Manager>>....[05:30:08]<<Program Manager>>....[05:30:09]<<Program Manager>>....[05:30:09]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawkqkJSHN.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.37619329853119
                                                            Encrypted:false
                                                            SSDEEP:6:t0SiN2qiN2qiN2qiN2qt2qt2qt2qt2qt2qt2qQN2qQNx:t0SExExExExtxtxtxtxtxtxaxax
                                                            MD5:175F30EB221582A3B180CAC6F18F1B45
                                                            SHA1:DFE93C4877694B070CCC90F181D29A0A5189E8D2
                                                            SHA-256:A8D51A4EC8D3413DD6F5CA8AEF59088BBA163388849C703965A6B7B97A1DA28D
                                                            SHA-512:D17931713B8983E0596E151CBDE77F77D5429E78E2ABE3B9CDCD8001E53E0A8EA5C8E145D345163EC83CFC2DE71D0155CCE92E3B42FF9CD4D541507ADA4F1145
                                                            Malicious:false
                                                            Preview:..[05:30:46]<<Program Manager>>....[05:30:46]<<Program Manager>>....[05:30:46]<<Program Manager>>....[05:30:46]<<Program Manager>>....[05:30:47]<<Program Manager>>....[05:30:47]<<Program Manager>>....[05:30:47]<<Program Manager>>....[05:30:47]<<Program Manager>>....[05:30:47]<<Program Manager>>....[05:30:47]<<Program Manager>>....[05:30:48]<<Program Manager>>....[05:30:48]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatawqJiNLOm.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.30853008705955
                                                            Encrypted:false
                                                            SSDEEP:6:t0SZ2qOf2qOf2qOf2qOf2qOf2qOf2a2a2a2ax:t0SZxAxAxAxAxAxADDDDx
                                                            MD5:160D867FC489E8622AB532101AB9C184
                                                            SHA1:72702C2761626371860A2A094C92643EAFBBFB2D
                                                            SHA-256:F2E12C1E343351E3A9FE9EE7893E6A30FDDA337A288EEA7D0728F67599A5704A
                                                            SHA-512:2FD2C77E9CAAD5D611B04F2EA04D3ECDF918CF15A9F21353BDCC8D04D1D19BFDBB1B6E28185B3BD61DD0E097198907605254BDC0A8607B0BA93A222E45F6C3D6
                                                            Malicious:false
                                                            Preview:..[05:30:58]<<Program Manager>>....[05:30:59]<<Program Manager>>....[05:30:59]<<Program Manager>>....[05:30:59]<<Program Manager>>....[05:30:59]<<Program Manager>>....[05:30:59]<<Program Manager>>....[05:30:59]<<Program Manager>>....[05:31:00]<<Program Manager>>....[05:31:00]<<Program Manager>>....[05:31:00]<<Program Manager>>....[05:31:00]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDataxDaWdSfU.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.368841443423649
                                                            Encrypted:false
                                                            SSDEEP:6:t0St2qt2qt2qIp2qIp2qIp2qIp2qIp2qIp2qU2qUx:t0StxtxtxIpxIpxIpxIpxIpxIpxUxUx
                                                            MD5:7BE7F2844BD0A177AA91C2DFA85CA02E
                                                            SHA1:3A63B619AC99BDE853CEF2A1A5854FF4C8F72A00
                                                            SHA-256:257B37E2C0449A4D53E3AC916B46CCC25101A012A73031D587047474CE74EF56
                                                            SHA-512:6E0E4BD2EF151DD75A956D428FDB313523D89536A2740388EA0FEE52F6FBB6CF62C33D1A1F695418EC69E339608456D1ED34BAEFD0302E271E02469DB9CADB01
                                                            Malicious:false
                                                            Preview:..[05:30:18]<<Program Manager>>....[05:30:18]<<Program Manager>>....[05:30:18]<<Program Manager>>....[05:30:19]<<Program Manager>>....[05:30:19]<<Program Manager>>....[05:30:19]<<Program Manager>>....[05:30:19]<<Program Manager>>....[05:30:19]<<Program Manager>>....[05:30:19]<<Program Manager>>....[05:30:20]<<Program Manager>>....[05:30:20]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatayHwISEIh.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):396
                                                            Entropy (8bit):4.279010035927195
                                                            Encrypted:false
                                                            SSDEEP:6:t0ST2qT2qT2qsnf2qsnf2qsnf2qsnf2qsnf2qsnf2qsnf2qR2qRx:t0STxTxTxixixixixixixixRxRx
                                                            MD5:963B25C2E325BFF283CBDADAD8A5D751
                                                            SHA1:F99015C05CCFA9E5ECF732E213265E5135EA2CC5
                                                            SHA-256:058721E57DCB6F5F78F5D332F4E7FB8818EF8BEF076CE16832866BBB24A95C68
                                                            SHA-512:7D38CA9BD7AE23712347AEE478D8710AFD9A9A4AFBB6204EB0F6B4463C34D49594996BE27E3B990708FA4DCFB40EDCCE68EF85A91DAD2AF8B7B60554013C44BB
                                                            Malicious:false
                                                            Preview:..[05:30:30]<<Program Manager>>....[05:30:30]<<Program Manager>>....[05:30:30]<<Program Manager>>....[05:30:31]<<Program Manager>>....[05:30:31]<<Program Manager>>....[05:30:31]<<Program Manager>>....[05:30:31]<<Program Manager>>....[05:30:31]<<Program Manager>>....[05:30:31]<<Program Manager>>....[05:30:31]<<Program Manager>>....[05:30:32]<<Program Manager>>....[05:30:32]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\KeyDatazaftBmSg.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):363
                                                            Entropy (8bit):4.318232857062948
                                                            Encrypted:false
                                                            SSDEEP:6:t0Sc2qc2qc2qc2qc2qc2qH2qH2qH2qH2qHx:t0ScxcxcxcxcxcxHxHxHxHxHx
                                                            MD5:BB8E2FAB26CCE1ED88CA5B245CF7752B
                                                            SHA1:ADF77698DE76B22F693668C3AC5475FEB06704E8
                                                            SHA-256:6BD9EFDE0728AEB8D330BA8E7766BB51C632585E9AB4623231B6C6C1534001D0
                                                            SHA-512:CC41453BAF8F1F21F3723CC8DE4EB5DD97FECDCB1D3466C3A911BBD14962A4E186F7F9ABDB8C2CA83147B3ABA61D2CEEDE0149A12FE6F34D6E16D6ACFC814FD2
                                                            Malicious:false
                                                            Preview:..[05:30:11]<<Program Manager>>....[05:30:11]<<Program Manager>>....[05:30:11]<<Program Manager>>....[05:30:11]<<Program Manager>>....[05:30:11]<<Program Manager>>....[05:30:11]<<Program Manager>>....[05:30:12]<<Program Manager>>....[05:30:12]<<Program Manager>>....[05:30:12]<<Program Manager>>....[05:30:12]<<Program Manager>>....[05:30:12]<<Program Manager>>..

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogabacusesxBGTaeIfvTUzjaQgHAWxNnWeaZsQuFodevotionality

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                            Category:dropped
                                                            Size (bytes):40960
                                                            Entropy (8bit):0.8553638852307782
                                                            Encrypted:false
                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotBAsPgoGG.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotBNXgbVJH.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotBVbkItmY.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotCTaEFokY.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotDVFRQMDP.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotFxyZxYUq.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758291991788719
                                                            Encrypted:false
                                                            SSDEEP:12288:nFnTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:ZTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:CBCA82F1D511909C54C105D643041610
                                                            SHA1:9409B2E9095E4098862694055E9DAD2456700CD3
                                                            SHA-256:C70DDD01F0C9D9DF7EACDEFDA080989E1839BED125F7ABED05C625CBFEF5EC6D
                                                            SHA-512:8091CA72E0CA55A27E3B13F232F8DE04634DF7A818C088566DCE50B966C232DD06E9AF318A57349CC2E54DEDDC7BC9FA80410759C73EB2597DADADAB140868B3
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotGEjoTwTG.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotGeWhZVbr.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotHSmxiVpK.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotIRibAROJ.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.763175573868854
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+vwo1Rg7RMMUUUXZUR:CTevHPYzi3Utck7Xa6MOW/vXwp
                                                            MD5:CCD7BF782757449017916B4472EFFE2D
                                                            SHA1:C075C0BE627CD9E3CFF3E564331A4975B85841AD
                                                            SHA-256:5C908CA88F476BD8C0D3A36C949CEED4DFFAD84A8D732F3CEB88BDE1D7FE58FC
                                                            SHA-512:F94172DE41EF7A977B4CA530C5B9E51DD81372779AB00D92CEEE6FF03F92643D6ECCD9723D00E60787E3C841E79F065AF07FB267E672DD823164EEA8619A0D93
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotKPdUlRrk.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotLqQOnJYX.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotMBXNJWnq.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758291991788719
                                                            Encrypted:false
                                                            SSDEEP:12288:nFnTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:ZTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:CBCA82F1D511909C54C105D643041610
                                                            SHA1:9409B2E9095E4098862694055E9DAD2456700CD3
                                                            SHA-256:C70DDD01F0C9D9DF7EACDEFDA080989E1839BED125F7ABED05C625CBFEF5EC6D
                                                            SHA-512:8091CA72E0CA55A27E3B13F232F8DE04634DF7A818C088566DCE50B966C232DD06E9AF318A57349CC2E54DEDDC7BC9FA80410759C73EB2597DADADAB140868B3
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotOKZuUfEp.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotOPrtVqjP.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotPbLXeZEw.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.713737945083221
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUh:CTevHPYzi3Utcg7XaTlz5Ww96l
                                                            MD5:C643553E81B48AD5948AFCCDF13F63E3
                                                            SHA1:D440B5D9F2EE7895BFED2DAA2EE3CA2CD1EB78B9
                                                            SHA-256:3AC52500B94DE8D56EB8F54A52F78D265BB4C9B50B1284451B89A2F1DA069C43
                                                            SHA-512:702541AEE2D9265A1FB784959253053E967BF1AC5A506BCFCB9385FA14C198AFD3ABC7DB4CCE05261F54CD1E595E615FFA77D47DAEBCFB54795FDE5A74BB1D74
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotPbMTuWma.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotTrlgxnDf.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotWtxsXqVr.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotXUlnLBRl.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotYmTeTliO.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotZkaEGmlh.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotbZXXYTxo.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758291991788719
                                                            Encrypted:false
                                                            SSDEEP:12288:nFnTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:ZTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:CBCA82F1D511909C54C105D643041610
                                                            SHA1:9409B2E9095E4098862694055E9DAD2456700CD3
                                                            SHA-256:C70DDD01F0C9D9DF7EACDEFDA080989E1839BED125F7ABED05C625CBFEF5EC6D
                                                            SHA-512:8091CA72E0CA55A27E3B13F232F8DE04634DF7A818C088566DCE50B966C232DD06E9AF318A57349CC2E54DEDDC7BC9FA80410759C73EB2597DADADAB140868B3
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotbkKAVhjo.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotboihXiTg.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotdbnMCvYg.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotgLFxbQoO.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotiLsRSzMZ.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.774039000867197
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUp:CTevHPYzi3Utcg7XarCN6lQMIsk
                                                            MD5:9986ADAB90CECABF3AF3A3A61F02D929
                                                            SHA1:A295817BA51DDD712C07AD4F087571D0198B1E50
                                                            SHA-256:D826BC5F3329C85F23FEAB0EB9DCE34A530618469056DFC805FCC0112754158D
                                                            SHA-512:F6D5884EC17AC50C95D6760B04268C4F3301CFF1583A576DD1AF5578340E930B73564C341D7B4744AB594EDA9E77AEC3D8D08B6600C3C4CC7301B5336A28D4B2
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotkJljhKUe.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotlCTCfGHs.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotmOlmSXgF.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotmjMxQlOj.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.775927396414871
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZU7:CTevHPYzi3Utcg7XaDNZnrE7wA
                                                            MD5:5F04C950EC0697FE3C4C510B4BA46D45
                                                            SHA1:64C6664D059C429C08E434A3623DDB40FEDA595E
                                                            SHA-256:FD607B41979A189702B947B9D4EF32ED8014EC3B001D52D49A5F62E3EA1D75D2
                                                            SHA-512:52B5047181B1A5188EA0C5344DFCE7EA90CD7672CE7CB20A29435CA16EE2E8AE649FD22721B87C838CF802433BD6C7F473AF58E8AA589064DA5674616516D955
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotnhUXDmSD.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotottVtGkY.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758291991788719
                                                            Encrypted:false
                                                            SSDEEP:12288:nFnTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:ZTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:CBCA82F1D511909C54C105D643041610
                                                            SHA1:9409B2E9095E4098862694055E9DAD2456700CD3
                                                            SHA-256:C70DDD01F0C9D9DF7EACDEFDA080989E1839BED125F7ABED05C625CBFEF5EC6D
                                                            SHA-512:8091CA72E0CA55A27E3B13F232F8DE04634DF7A818C088566DCE50B966C232DD06E9AF318A57349CC2E54DEDDC7BC9FA80410759C73EB2597DADADAB140868B3
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotpgGLndDU.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotqNIRrFHB.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotqSfmVIpc.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.713737945083221
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUh:CTevHPYzi3Utcg7XaTlz5Ww96l
                                                            MD5:C643553E81B48AD5948AFCCDF13F63E3
                                                            SHA1:D440B5D9F2EE7895BFED2DAA2EE3CA2CD1EB78B9
                                                            SHA-256:3AC52500B94DE8D56EB8F54A52F78D265BB4C9B50B1284451B89A2F1DA069C43
                                                            SHA-512:702541AEE2D9265A1FB784959253053E967BF1AC5A506BCFCB9385FA14C198AFD3ABC7DB4CCE05261F54CD1E595E615FFA77D47DAEBCFB54795FDE5A74BB1D74
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotqYvoMlpW.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotsJVaWCOn.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshottXeFZYIf.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:modified
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotvKfMYQMc.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotwNDtaRvU.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotwwxURnpE.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758352184110435
                                                            Encrypted:false
                                                            SSDEEP:12288:ncjTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:UTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:E66F85D51087F0E2D44494FCC3DB2604
                                                            SHA1:9C43CC7AEB7F70DA1256E54FAA393928C6BAE852
                                                            SHA-256:E0AA0D3656C224AB70B2888B46F1D56210AE46C2A1397B9231EE5DAE722A0B32
                                                            SHA-512:2672074B3BAA57E6AD7B23B93DACDA32D71BC21852FF172E7ACF954A2DD04B701B148E48CD4473C079402401CE2429E9078EB02BD144071636BA5384AE44FC5C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotxDCnOlcx.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.764556173976158
                                                            Encrypted:false
                                                            SSDEEP:12288:6j+7InocHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:x7BcHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:061765188B186AB440213D1C6EDBE290
                                                            SHA1:B7AA96F924A5FDB0E0B9FAFC911AB7ACBA3A1C2D
                                                            SHA-256:3EF4345BAF387E2440E2020047EED96D22E42AE2B8A584E15AEEC80F2966BE1E
                                                            SHA-512:97753E6D32216DBDB4EFB91A4A97441FA787864DD6644007A8D38A428992270B538F563068536029E1DDFC444D0AEA596AD137172E3F720002C2BDF8849D962A
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90.90...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotxmuWgfIX.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\ScreenshotyjJMNgQK.BMP

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PC bitmap, Windows 3.x format, 1280 x 1024 x 24, image size 3932160, cbSize 3932214, bits offset 54
                                                            Category:dropped
                                                            Size (bytes):3932214
                                                            Entropy (8bit):6.758304893769377
                                                            Encrypted:false
                                                            SSDEEP:12288:nIBTDU5vHPYGXu9iQDyGABaj/rHSTLFKLSUt/IitIJkVjl+SnrgspPRMMUUUXZUR:CTevHPYzi3Utcg7Xa6MOW/vXwp
                                                            MD5:91D5E8A1D0ECEBFE35095110CBBA4E16
                                                            SHA1:0938A018AB4516542924BD21BE72EF6DDFCC3D1F
                                                            SHA-256:904F26F6E1D975A9AAF5FB2C1097F1A3E3A926EFFF39F59FDF154C37719875F6
                                                            SHA-512:652FF2AF152E435092170149E279B0BE93788DACAD68BBD78245DC717B0AE4CC795DA48BC0CF7E5780E085357EBB159BA297BD0C96CD57A2175372F95A85B85C
                                                            Malicious:false
                                                            Preview:BM6.<.....6...(.....................<.................$..$..#..#..#..#..#..#..$..$..$..$..$..$..$..$..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#..#....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):106496
                                                            Entropy (8bit):1.136471148832945
                                                            Encrypted:false
                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Payment-Inv.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):462848
                                                            Entropy (8bit):6.758450744974638
                                                            Encrypted:false
                                                            SSDEEP:12288:rU0ZFgf1KgNxKBAwz05323yvMdb2U3jYKkJj6GmZU:rTZFQKiR23geb2UzYb6nZ
                                                            MD5:D4A26C141B32A5D61EFBE2E7F69C0D00
                                                            SHA1:B66B6969264564861D5121A6A822B87DE385AE91
                                                            SHA-256:B25969EC654BAC567F82DA096178825F2E7B89E03A9E4F7AC6AE2AE98AAA6B08
                                                            SHA-512:96DC77245FA41246C17F98FED9DD2B494B52C2D59E117AAFF1446F4827D9114047CC33D5C04F4C38BAD0958FC35DB43287DD884AE24443B12E3EB616E80C63F9
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe, Author: Joe Security
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 74%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..9..9..9.....8..P..?.....8..Rich9..........PE..L......g.................`...........<.......p....@.................................Vr.......................................[..(..........................................................................(... .......l............................text....Z.......`.................. ..`.data...h....p.......p..............@....rsrc..............................@..@..^............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):6.758450744974638
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 98.59%
                                                            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                            • UPX compressed Win32 Executable (30571/9) 0.30%
                                                            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            File name:Payment-Inv.exe
                                                            File size:462'848 bytes
                                                            MD5:d4a26c141b32a5d61efbe2e7f69c0d00
                                                            SHA1:b66b6969264564861d5121a6a822b87de385ae91
                                                            SHA256:b25969ec654bac567f82da096178825f2e7b89e03a9e4f7ac6ae2ae98aaa6b08
                                                            SHA512:96dc77245fa41246c17f98fed9dd2b494b52c2d59e117aaff1446f4827d9114047cc33d5c04f4c38bad0958fc35db43287dd884ae24443b12e3eb616e80c63f9
                                                            SSDEEP:12288:rU0ZFgf1KgNxKBAwz05323yvMdb2U3jYKkJj6GmZU:rTZFQKiR23geb2UzYb6nZ
                                                            TLSH:CBA4292BE651702EF4A3C9B1E6D4A267A8156D3711A5E81BF3866F0532351D3B8F032F
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}...9...9...9.......8...P...?.......8...Rich9...........PE..L......g.................`...........<.......p....@................

                                                            File Icon

                                                            Icon Hash:f48a97969696ca75

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x403cfc
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                            DLL Characteristics:
                                                            Time Stamp:0x670FE298 [Wed Oct 16 15:58:16 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:ab942ef965a00d8ce4a98e4a647d3268

                                                            Entrypoint Preview

                                                            Instruction
                                                            push 004045C4h
                                                            call 00007FC620FD27D5h
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            xor byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            inc eax
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [22113273h], dh
                                                            cld
                                                            add eax, A308A349h
                                                            stosb
                                                            into
                                                            fimul word ptr [ebp+edx*8+00000000h]
                                                            add byte ptr [eax], al
                                                            add dword ptr [eax], eax
                                                            add byte ptr [eax], al
                                                            sbb al, byte ptr [ebx]
                                                            and cl, al
                                                            inc eax
                                                            add byte ptr [eax+72h], dl
                                                            outsd
                                                            push 00000065h
                                                            arpl word ptr [ecx+esi+00h], si
                                                            lea ebx, dword ptr [edx]
                                                            add eax, dword ptr [eax]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add bh, bh
                                                            int3
                                                            xor dword ptr [eax], eax
                                                            add eax, 5B429A6Ah
                                                            adc byte ptr [ebp-3540B356h], FFFFFF95h
                                                            cmp byte ptr [edi], bl
                                                            jnp 00007FC620FD2860h
                                                            mov al, byte ptr [1AB415D9h]
                                                            or dword ptr [esi-1Ah], edi
                                                            inc edi
                                                            mov eax, dword ptr [4473244Fh]
                                                            scasb
                                                            cmp bh, byte ptr [ebx]
                                                            cmp cl, byte ptr [edi-53h]
                                                            xor ebx, dword ptr [ecx-48EE309Ah]
                                                            or al, 00h
                                                            stosb
                                                            add byte ptr [eax-2Dh], ah
                                                            xchg eax, ebx
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            push CC000006h
                                                            add eax, 05000000h
                                                            add byte ptr [esi+6Fh], al
                                                            jc 00007FC620FD284Fh
                                                            xor dword ptr [eax], eax
                                                            or eax, 46000501h
                                                            outsd
                                                            jc 00007FC620FD284Fh
                                                            xor dword ptr [eax], eax
                                                            or al, byte ptr [ecx]
                                                            sbb dword ptr [ecx], eax

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x45bb40x28.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x28ee4.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x36c.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x45a100x46000fcac1e251206566671208e6c04a4dea5False0.3358119419642857data5.77278208450069IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .data0x470000xf680x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x480000x28ee40x2900043e1b8634d81e8394eedddbe7b9e8aa0False0.9556021341463414data7.8718802141790025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            CUSTOM0x488e40x28600PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressedEnglishUnited States0.9664642995356038
                                                            RT_ICON0x4837c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 3200.14812138728323698
                                                            RT_GROUP_ICON0x483680x14data1.25
                                                            RT_VERSION0x481400x228dataEnglishUnited States0.49094202898550726

                                                            Imports

                                                            DLLImport
                                                            MSVBVM60.DLL__vbaVarTstGt, __vbaVarSub, __vbaNextEachAry, _CIcos, _adj_fptan, __vbaStrI4, __vbaHresultCheck, __vbaVarMove, __vbaVarVargNofree, __vbaCyMul, __vbaAryMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaPut3, __vbaFreeVarList, _adj_fdiv_m64, __vbaFpCDblR8, __vbaVarIndexStore, __vbaNextEachVar, __vbaFreeObjList, __vbaStrErrVarCopy, __vbaVarIndexLoadRef, _adj_fprem1, __vbaRecAnsiToUni, __vbaResume, __vbaCopyBytes, __vbaStrCat, __vbaLsetFixstr, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaVarXor, __vbaVarIndexLoadRefLock, __vbaLateMemSt, __vbaVarForInit, __vbaForEachCollObj, __vbaExitProc, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarIndexLoad, __vbaBoolVar, __vbaFpR8, __vbaRefVarAry, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, __vbaErase, __vbaVarCmpGt, __vbaNextEachCollObj, __vbaVarZero, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaPutOwner3, __vbaAryConstruct2, __vbaVarTstEq, __vbaDateR8, __vbaPutOwner4, __vbaI2I4, __vbaObjVar, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, __vbaFpUI1, __vbaCastObjVar, __vbaRedimPreserve, __vbaLbound, _adj_fpatan, __vbaFixstrConstruct, __vbaR8Cy, __vbaRedim, __vbaRecUniToAnsi, __vbaUI1ErrVar, EVENT_SINK_Release, __vbaNew, __vbaUI1I2, _CIsqrt, __vbaObjIs, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaStr2Vec, __vbaVarMul, __vbaStrUI1, __vbaUI1I4, __vbaExceptHandler, __vbaPrintFile, __vbaStrToUnicode, __vbaExitEachAry, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaUbound, __vbaStrVarVal, __vbaGetOwner3, __vbaVarCat, __vbaDateVar, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVar2Vec, __vbaVarLateMemCallLdRf, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaVarSetObj, __vbaStrCopy, __vbaVarNot, __vbaFreeStrList, _adj_fdivr_m32, __vbaPowerR8, _adj_fdiv_r, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, __vbaForEachAry, __vbaVarCmpEq, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI2, __vbaVarCopy, __vbaVarLateMemCallLd, __vbaFpI4, __vbaVarSetObjAddref, __vbaRecDestructAnsi, __vbaLateMemCallLd, _CIatan, __vbaUI1Str, __vbaCastObj, __vbaAryCopy, __vbaStrMove, __vbaStrVarCopy, __vbaForEachVar, _allmul, __vbaVarLateMemCallSt, _CItan, __vbaAryUnlock, __vbaUI1Var, __vbaVarForNext, _CIexp, __vbaMidStmtBstr, __vbaI4ErrVar, __vbaRecAssign, __vbaFreeStr, __vbaFreeObj

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-10-21T11:29:12.240087+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649711162.55.60.280TCP
                                                            2024-10-21T11:29:47.267197+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649895162.55.60.280TCP
                                                            2024-10-21T11:29:47.926241+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649897162.55.60.280TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 21, 2024 11:29:11.382883072 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:11.387834072 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:11.387902021 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:11.388545990 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:11.393538952 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240016937 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240041971 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240062952 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240077972 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240087032 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.240098000 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240113020 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240117073 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.240129948 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240143061 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.240150928 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240159988 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.240168095 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240185022 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.240190029 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.240216017 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.240238905 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.245029926 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.245080948 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.245088100 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.245142937 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.245157957 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.245218992 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.368451118 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368473053 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368489027 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368504047 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368520021 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368540049 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.368717909 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368745089 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.368757963 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.368762016 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368777037 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368799925 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.368803024 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368818045 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:12.368818045 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:12.368854046 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:46.409574032 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:46.414516926 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:46.414616108 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:46.414745092 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:46.419610977 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:46.930593967 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:46.935478926 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:46.935551882 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:46.935687065 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:46.940453053 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267036915 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267124891 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267139912 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267153025 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267179966 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267194986 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267196894 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.267211914 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267226934 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267241001 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267250061 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.267250061 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.267256021 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.267277956 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.267298937 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.267312050 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.272229910 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.272245884 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.272268057 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.272300005 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.272356033 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.395756006 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.395775080 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.395791054 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.395822048 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.395847082 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.395899057 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.395912886 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.395925999 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.395951033 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.395967007 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.395977020 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.395982027 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.396105051 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.396781921 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.396800995 CEST8049895162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.396832943 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.396863937 CEST4989580192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.926179886 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926193953 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926204920 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926217079 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926229000 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926239967 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926240921 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.926250935 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926265955 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926270008 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.926279068 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926297903 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.926323891 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.926390886 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926541090 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.926557064 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.926657915 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.931143999 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.931205034 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.931277037 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.931301117 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.931313038 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.931329012 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.931365967 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.931370974 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.931397915 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.931427956 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.931442976 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.933032990 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.933053017 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.933064938 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.933077097 CEST8049897162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:29:47.933095932 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:29:47.933135986 CEST4989780192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:31:01.209026098 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:31:01.515877008 CEST4971180192.168.2.6162.55.60.2
                                                            Oct 21, 2024 11:31:01.562762976 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:31:01.562783003 CEST8049711162.55.60.2192.168.2.6
                                                            Oct 21, 2024 11:31:01.562889099 CEST4971180192.168.2.6162.55.60.2

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Oct 21, 2024 11:29:11.233119011 CEST5777453192.168.2.61.1.1.1
                                                            Oct 21, 2024 11:29:11.376823902 CEST53577741.1.1.1192.168.2.6

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Oct 21, 2024 11:29:11.233119011 CEST192.168.2.61.1.1.10xe77dStandard query (0)showip.netA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Oct 21, 2024 11:29:11.376823902 CEST1.1.1.1192.168.2.60xe77dNo error (0)showip.net162.55.60.2A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • showip.net

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.649711162.55.60.2806656C:\Users\user\Desktop\Payment-Inv.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 21, 2024 11:29:11.388545990 CEST58OUTGET / HTTP/1.1
                                                            User-Agent: Project1
                                                            Host: showip.net
                                                            Oct 21, 2024 11:29:12.240016937 CEST1236INHTTP/1.1 200 OK
                                                            Access-Control-Allow-Headers: *
                                                            Access-Control-Allow-Methods: *
                                                            Access-Control-Allow-Origin: *
                                                            Content-Type: text/html;charset=utf-8
                                                            Date: Mon, 21 Oct 2024 09:29:12 GMT
                                                            Server: Caddy
                                                            Transfer-Encoding: chunked
                                                            Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED]
                                                            Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
                                                            Oct 21, 2024 11:29:12.240041971 CEST1236INData Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f
                                                            Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;
                                                            Oct 21, 2024 11:29:12.240062952 CEST1236INData Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72
                                                            Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
                                                            Oct 21, 2024 11:29:12.240077972 CEST388INData Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20
                                                            Data Ascii: ge"))||(C()?A("Microsoft Edge"):B("Edg/"))||C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
                                                            Oct 21, 2024 11:29:12.240098000 CEST1236INData Raw: 61 72 20 62 3d 48 28 61 29 3b 31 21 3d 3d 28 62 26 31 29 26 26 28 4f 62 6a 65 63 74 2e 69 73 46 72 6f 7a 65 6e 28 61 29 26 26 28 61 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 29 2c 49 28 61 2c 62 7c
                                                            Data Ascii: ar b=H(a);1!==(b&1)&&(Object.isFrozen(a)&&(a=Array.prototype.slice.call(a)),I(a,b|1))} var H=F?function(a){return a[F]|0}:function(a){return a.g|0},J=F?function(a){return a[F]}:function(a){return a.g},I=F?function(a,b){a[F]=b}:function(a
                                                            Oct 21, 2024 11:29:12.240113020 CEST1236INData Raw: 65 3d 61 2e 6c 65 6e 67 74 68 2c 66 3d 64 3b 66 3c 65 3b 66 2b 2b 29 7b 76 61 72 20 67 3d 61 5b 66 5d 3b 6e 75 6c 6c 21 3d 67 26 26 67 21 3d 3d 63 26 26 28 63 5b 66 2d 62 5d 3d 67 29 7d 61 2e 6c 65 6e 67 74 68 3d 64 2b 31 3b 61 5b 64 5d 3d 63 7d
                                                            Data Ascii: e=a.length,f=d;f<e;f++){var g=a[f];null!=g&&g!==c&&(c[f-b]=g)}a.length=d+1;a[d]=c};function Aa(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "boolean":return a?1:0;case "object":if(a&&!Array.isArray(a)&&ta&&null!=a&&a i
                                                            Oct 21, 2024 11:29:12.240129948 CEST1236INData Raw: 28 65 2c 66 29 26 26 28 62 5b 66 5d 3d 63 28 65 5b 66 5d 29 29 7d 72 65 74 75 72 6e 20 61 7d 66 75 6e 63 74 69 6f 6e 20 44 61 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 69 66 28 6e 75 6c 6c 21 3d 61 29 7b 69 66 28 41 72 72 61 79 2e 69 73 41 72 72
                                                            Data Ascii: (e,f)&&(b[f]=c(e[f]))}return a}function Da(a,b,c,d,e,f){if(null!=a){if(Array.isArray(a))a=e&&0==a.length&&H(a)&1?void 0:f&&H(a)&2?a:Ea(a,b,c,void 0!==d,e,f);else if(N(a)){var g={},h;for(h in a)Object.prototype.hasOwnProperty.call(a,h)&&(g[h]=D
                                                            Oct 21, 2024 11:29:12.240150928 CEST1236INData Raw: 66 28 63 3e 3d 66 7c 7c 65 29 7b 65 3d 62 3b 69 66 28 62 26 32 35 36 29 66 3d 61 5b 61 2e 6c 65 6e 67 74 68 2d 31 5d 3b 65 6c 73 65 7b 69 66 28 6e 75 6c 6c 3d 3d 64 29 72 65 74 75 72 6e 3b 66 3d 61 5b 66 2b 28 28 62 3e 3e 39 26 31 29 2d 31 29 5d
                                                            Data Ascii: f(c>=f||e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)} function La(a,b){var c
                                                            Oct 21, 2024 11:29:12.240168095 CEST1236INData Raw: 72 65 61 6b 7d 66 3d 21 30 7d 65 3d 62 3b 63 3d 21 63 3b 67 3d 4a 28 61 2e 68 29 3b 61 3d 4c 28 67 29 3b 67 3d 28 67 3e 3e 39 26 31 29 2d 31 3b 66 6f 72 28 76 61 72 20 68 2c 6b 2c 77 3d 30 3b 77 3c 64 2e 6c 65 6e 67 74 68 3b 77 2b 2b 29 69 66 28
                                                            Data Ascii: reak}f=!0}e=b;c=!c;g=J(a.h);a=L(g);g=(g>>9&1)-1;for(var h,k,w=0;w<d.length;w++)if(k=d[w],k<a){k+=g;var r=e[k];null==r?e[k]=c?O:wa():c&&r!==O&&va(r)}else h||(r=void 0,e.length&&N(r=e[e.length-1])?h=r:e.push(h={})),r=h[k],null==h[k]?h[k]=c?O:wa(
                                                            Oct 21, 2024 11:29:12.240185022 CEST1236INData Raw: 6e 63 74 69 6f 6e 20 57 61 28 61 29 7b 74 68 69 73 2e 67 3d 61 7c 7c 70 2e 64 6f 63 75 6d 65 6e 74 7c 7c 64 6f 63 75 6d 65 6e 74 7d 57 61 2e 70 72 6f 74 6f 74 79 70 65 2e 61 70 70 65 6e 64 43 68 69 6c 64 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29
                                                            Data Ascii: nction Wa(a){this.g=a||p.document||document}Wa.prototype.appendChild=function(a,b){a.appendChild(b)}; function Xa(a,b){a.src=b instanceof V&&b.constructor===V?b.g:"type_error:TrustedResourceUrl";var c,d;(c=(b=null==(d=(c=(a.ownerDocumen
                                                            Oct 21, 2024 11:29:12.245029926 CEST1236INData Raw: 28 61 29 7b 69 66 28 61 2e 69 2e 62 6f 64 79 26 26 21 61 2e 6d 29 7b 76 61 72 20 62 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 66 62 28 61 29 3b 70 2e 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 67 62 28 61 2c
                                                            Data Ascii: (a){if(a.i.body&&!a.m){var b=function(){fb(a);p.setTimeout(function(){return gb(a,3)},50)};Za(a.l,a.u,2,!0,function(){p[a.o]||b()},b);a.m=!0}} function fb(a){for(var b=W(1,5),c=0;c<b;c++){var d=X(a);a.i.body.appendChild(d);a.j.push(d)}b=


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.649895162.55.60.2805800C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 21, 2024 11:29:46.414745092 CEST58OUTGET / HTTP/1.1
                                                            User-Agent: Project1
                                                            Host: showip.net
                                                            Oct 21, 2024 11:29:47.267036915 CEST1236INHTTP/1.1 200 OK
                                                            Access-Control-Allow-Headers: *
                                                            Access-Control-Allow-Methods: *
                                                            Access-Control-Allow-Origin: *
                                                            Content-Type: text/html;charset=utf-8
                                                            Date: Mon, 21 Oct 2024 09:29:47 GMT
                                                            Server: Caddy
                                                            Transfer-Encoding: chunked
                                                            Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED]
                                                            Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
                                                            Oct 21, 2024 11:29:47.267124891 CEST1236INData Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f
                                                            Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;
                                                            Oct 21, 2024 11:29:47.267139912 CEST424INData Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72
                                                            Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
                                                            Oct 21, 2024 11:29:47.267153025 CEST1236INData Raw: 79 70 65 2e 68 61 73 4f 77 6e 50 72 6f 70 65 72 74 79 2e 63 61 6c 6c 28 64 2c 65 29 26 26 28 61 5b 65 5d 3d 64 5b 65 5d 29 7d 72 65 74 75 72 6e 20 61 7d 3b 68 61 28 22 4f 62 6a 65 63 74 2e 61 73 73 69 67 6e 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29
                                                            Data Ascii: ype.hasOwnProperty.call(d,e)&&(a[e]=d[e])}return a};ha("Object.assign",function(a){return a||na}); var p=this||self;function q(a){return a};var t,u;a:{for(var oa=["CLOSURE_FLAGS"],v=p,x=0;x<oa.length;x++)if(v=v[oa[x]],null==v){u=null;br
                                                            Oct 21, 2024 11:29:47.267179966 CEST1236INData Raw: 6e 28 61 29 26 26 28 61 3d 41 72 72 61 79 2e 70 72 6f 74 6f 74 79 70 65 2e 73 6c 69 63 65 2e 63 61 6c 6c 28 61 29 29 2c 49 28 61 2c 62 7c 31 29 29 7d 0a 20 20 20 20 20 20 76 61 72 20 48 3d 46 3f 66 75 6e 63 74 69 6f 6e 28 61 29 7b 72 65 74 75 72
                                                            Data Ascii: n(a)&&(a=Array.prototype.slice.call(a)),I(a,b|1))} var H=F?function(a){return a[F]|0}:function(a){return a.g|0},J=F?function(a){return a[F]}:function(a){return a.g},I=F?function(a,b){a[F]=b}:function(a,b){void 0!==a.g?a.g=b:Object.define
                                                            Oct 21, 2024 11:29:47.267194986 CEST1236INData Raw: 75 6c 6c 21 3d 67 26 26 67 21 3d 3d 63 26 26 28 63 5b 66 2d 62 5d 3d 67 29 7d 61 2e 6c 65 6e 67 74 68 3d 64 2b 31 3b 61 5b 64 5d 3d 63 7d 3b 66 75 6e 63 74 69 6f 6e 20 41 61 28 61 29 7b 73 77 69 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73
                                                            Data Ascii: ull!=g&&g!==c&&(c[f-b]=g)}a.length=d+1;a[d]=c};function Aa(a){switch(typeof a){case "number":return isFinite(a)?a:String(a);case "boolean":return a?1:0;case "object":if(a&&!Array.isArray(a)&&ta&&null!=a&&a instanceof Uint8Array){if(ua){for(var
                                                            Oct 21, 2024 11:29:47.267211914 CEST1236INData Raw: 69 6f 6e 20 44 61 28 61 2c 62 2c 63 2c 64 2c 65 2c 66 29 7b 69 66 28 6e 75 6c 6c 21 3d 61 29 7b 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 61 3d 65 26 26 30 3d 3d 61 2e 6c 65 6e 67 74 68 26 26 48 28 61 29 26 31 3f 76 6f 69 64 20
                                                            Data Ascii: ion Da(a,b,c,d,e,f){if(null!=a){if(Array.isArray(a))a=e&&0==a.length&&H(a)&1?void 0:f&&H(a)&2?a:Ea(a,b,c,void 0!==d,e,f);else if(N(a)){var g={},h;for(h in a)Object.prototype.hasOwnProperty.call(a,h)&&(g[h]=Da(a[h],b,c,d,e,f));a=g}else a=b(a,d)
                                                            Oct 21, 2024 11:29:47.267226934 CEST1236INData Raw: 2d 31 5d 3b 65 6c 73 65 7b 69 66 28 6e 75 6c 6c 3d 3d 64 29 72 65 74 75 72 6e 3b 66 3d 61 5b 66 2b 28 28 62 3e 3e 39 26 31 29 2d 31 29 5d 3d 7b 7d 3b 65 7c 3d 32 35 36 7d 66 5b 63 5d 3d 64 3b 65 26 3d 2d 31 30 32 35 3b 65 21 3d 3d 62 26 26 49 28
                                                            Data Ascii: -1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)} function La(a,b){var c=Ma;var d=void 0===d?!1:d;var e=a.h;
                                                            Oct 21, 2024 11:29:47.267241001 CEST812INData Raw: 3d 28 67 3e 3e 39 26 31 29 2d 31 3b 66 6f 72 28 76 61 72 20 68 2c 6b 2c 77 3d 30 3b 77 3c 64 2e 6c 65 6e 67 74 68 3b 77 2b 2b 29 69 66 28 6b 3d 64 5b 77 5d 2c 6b 3c 61 29 7b 6b 2b 3d 67 3b 76 61 72 20 72 3d 65 5b 6b 5d 3b 6e 75 6c 6c 3d 3d 72 3f
                                                            Data Ascii: =(g>>9&1)-1;for(var h,k,w=0;w<d.length;w++)if(k=d[w],k<a){k+=g;var r=e[k];null==r?e[k]=c?O:wa():c&&r!==O&&va(r)}else h||(r=void 0,e.length&&N(r=e[e.length-1])?h=r:e.push(h={})),r=h[k],null==h[k]?h[k]=c?O:wa():c&&r!==O&&va(r)}d=b.length;if(!d)r
                                                            Oct 21, 2024 11:29:47.267256021 CEST1236INData Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53
                                                            Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648*Math.random()).toString(36)+Math.abs(Math.floor(2147483648*Math.random())
                                                            Oct 21, 2024 11:29:47.272229910 CEST1236INData Raw: 32 46 74 59 6d 56 79 58 7a 49 30 5a 48 41 75 63 47 35 6e 22 29 2c 61 62 3d 70 2e 61 74 6f 62 28 22 57 57 39 31 49 47 46 79 5a 53 42 7a 5a 57 56 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59
                                                            Data Ascii: 2FtYmVyXzI0ZHAucG5n"),ab=p.atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVu


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.649897162.55.60.2805376C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            TimestampBytes transferredDirectionData
                                                            Oct 21, 2024 11:29:46.935687065 CEST58OUTGET / HTTP/1.1
                                                            User-Agent: Project1
                                                            Host: showip.net
                                                            Oct 21, 2024 11:29:47.926179886 CEST1236INHTTP/1.1 200 OK
                                                            Access-Control-Allow-Headers: *
                                                            Access-Control-Allow-Methods: *
                                                            Access-Control-Allow-Origin: *
                                                            Content-Type: text/html;charset=utf-8
                                                            Date: Mon, 21 Oct 2024 09:29:47 GMT
                                                            Server: Caddy
                                                            Transfer-Encoding: chunked
                                                            Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED]
                                                            Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
                                                            Oct 21, 2024 11:29:47.926193953 CEST1236INData Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f
                                                            Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;
                                                            Oct 21, 2024 11:29:47.926204920 CEST1236INData Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72
                                                            Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
                                                            Oct 21, 2024 11:29:47.926217079 CEST1236INData Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20
                                                            Data Ascii: ge"))||(C()?A("Microsoft Edge"):B("Edg/"))||C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
                                                            Oct 21, 2024 11:29:47.926229000 CEST1236INData Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72
                                                            Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d|=64;if(c&&(d|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105|(e&1023)<<11;break a}}b&&(g=(d>>9&
                                                            Oct 21, 2024 11:29:47.926239967 CEST1236INData Raw: 3d 62 5b 28 77 26 31 35 29 3c 3c 32 7c 68 3e 3e 36 5d 3b 68 3d 62 5b 68 26 36 33 5d 3b 63 5b 65 2b 2b 5d 3d 67 2b 6b 2b 77 2b 68 7d 67 3d 30 3b 68 3d 64 3b 73 77 69 74 63 68 28 61 2e 6c 65 6e 67 74 68 2d 66 29 7b 63 61 73 65 20 32 3a 67 3d 61 5b
                                                            Data Ascii: =b[(w&15)<<2|h>>6];h=b[h&63];c[e++]=g+k+w+h}g=0;h=d;switch(a.length-f){case 2:g=a[f+1],h=b[(g&15)<<2]||d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4|g>>4]+h+d}a=c.join("")}return a}}return a};function Ba(a,b,c){a=Array.prototype.slice.call(a);var d=
                                                            Oct 21, 2024 11:29:47.926250935 CEST1236INData Raw: 75 72 6e 20 61 7d 7d 66 75 6e 63 74 69 6f 6e 20 48 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 7c 7c 62 26 32 3f 4b 3a 78 61 2c 65 3d 21 21 28 62 26 33 32 29 3b 61 3d 42 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e
                                                            Data Ascii: urn a}}function Ha(a,b,c){var d=c||b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.leng
                                                            Oct 21, 2024 11:29:47.926265955 CEST1236INData Raw: 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 45 61 28 74 68 69 73 2e 68 2c 46 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 2c 21 31 29 3b 72 65 74 75 72 6e 20 50 61 28 74 68 69 73 2c 61 2c 21 30 29 7d 3b 54 2e
                                                            Data Ascii: toJSON=function(){var a=Ea(this.h,Fa,void 0,void 0,!1,!1);return Pa(this,a,!0)};T.prototype.s=M;T.prototype.toString=function(){return Pa(this,this.h,!1).toString()}; function Pa(a,b,c){var d=a.constructor.v,e=L(J(c?a.h:b)),f=!1;if(d){if
                                                            Oct 21, 2024 11:29:47.926279068 CEST1236INData Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53
                                                            Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648*Math.random()).toString(36)+Math.abs(Math.floor(2147483648*Math.random())
                                                            Oct 21, 2024 11:29:47.926390886 CEST1236INData Raw: 32 46 74 59 6d 56 79 58 7a 49 30 5a 48 41 75 63 47 35 6e 22 29 2c 61 62 3d 70 2e 61 74 6f 62 28 22 57 57 39 31 49 47 46 79 5a 53 42 7a 5a 57 56 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59
                                                            Data Ascii: 2FtYmVyXzI0ZHAucG5n"),ab=p.atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVu
                                                            Oct 21, 2024 11:29:47.926557064 CEST1236INData Raw: 2c 22 49 4d 47 22 29 3b 64 2e 63 6c 61 73 73 4e 61 6d 65 3d 55 61 28 29 3b 64 2e 73 72 63 3d 24 61 3b 64 2e 61 6c 74 3d 22 57 61 72 6e 69 6e 67 20 69 63 6f 6e 22 3b 64 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 32 34 70 78 22 3b 64 2e 73 74 79
                                                            Data Ascii: ,"IMG");d.className=Ua();d.src=$a;d.alt="Warning icon";d.style.height="24px";d.style.width="24px";d.style["padding-right"]="16px";var e=X(a),f=X(a);f.style["font-weight"]="bold";f.textContent=ab;var g=X(a);g.textContent=bb;Y(a,e,f);Y(a,e,g);Y(


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:05:29:08
                                                            Start date:21/10/2024
                                                            Path:C:\Users\user\Desktop\Payment-Inv.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Payment-Inv.exe"
                                                            Imagebase:0x400000
                                                            File size:462'848 bytes
                                                            MD5 hash:D4A26C141B32A5D61EFBE2E7F69C0D00
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000000.2166274087.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:5
                                                            Start time:05:29:35
                                                            Start date:21/10/2024
                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe"
                                                            Imagebase:0x400000
                                                            File size:462'848 bytes
                                                            MD5 hash:D4A26C141B32A5D61EFBE2E7F69C0D00
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000005.00000000.2441004920.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 74%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:7
                                                            Start time:05:29:43
                                                            Start date:21/10/2024
                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe"
                                                            Imagebase:0x400000
                                                            File size:462'848 bytes
                                                            MD5 hash:D4A26C141B32A5D61EFBE2E7F69C0D00
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000007.00000000.2521818363.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000007.00000002.3410576325.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:27.8%
                                                              Dynamic/Decrypted Code Coverage:0.6%
                                                              Signature Coverage:0.2%
                                                              Total number of Nodes:855
                                                              Total number of Limit Nodes:18
                                                              execution_graph 7266 410100 __vbaChkstk 7267 410155 __vbaOnError 7266->7267 7268 410197 7267->7268 7269 41017b __vbaNew2 7267->7269 7270 4101ed 7268->7270 7271 4101cd __vbaHresultCheckObj 7268->7271 7269->7268 7272 4101f7 __vbaChkstk 7270->7272 7271->7272 7273 410247 7272->7273 7274 410258 __vbaHresultCheckObj 7273->7274 7275 41027b 7273->7275 7276 410285 __vbaStrMove 7274->7276 7275->7276 7277 4102b7 7276->7277 7278 4102c6 __vbaHresultCheckObj 7277->7278 7279 4102e9 7277->7279 7280 4102f3 __vbaFreeStr __vbaFreeObj 7278->7280 7279->7280 7304 41031f 7280->7304 7305 412580 __vbaChkstk 7280->7305 7281 410348 7283 410352 __vbaFreeVar 7281->7283 7282 410328 __vbaHresultCheckObj 7282->7283 7284 410387 7283->7284 7285 41036b __vbaNew2 7283->7285 7286 4103dd 7284->7286 7287 4103bd __vbaHresultCheckObj 7284->7287 7285->7284 7288 4103e7 __vbaChkstk 7286->7288 7287->7288 7289 410437 7288->7289 7290 410448 __vbaHresultCheckObj 7289->7290 7291 41046b 7289->7291 7292 410475 __vbaStrMove __vbaFreeObj __vbaStrCmp 7290->7292 7291->7292 7293 4104c2 __vbaStrCopy 7292->7293 7294 410667 7292->7294 7691 438890 __vbaLenBstr 7293->7691 7296 4104e0 __vbaStrMove __vbaStrCopy 7297 438890 124 API calls 7296->7297 7298 410502 7 API calls 7297->7298 7760 4379a0 __vbaLenBstr 7298->7760 7300 410592 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove 7301 4379a0 20 API calls 7300->7301 7302 4105d6 7 API calls 7301->7302 7302->7294 7304->7281 7304->7282 7306 4125ca __vbaOnError __vbaStrCopy 7305->7306 7767 405b84 7306->7767 7308 41260d __vbaSetSystemError 7309 405b38 7308->7309 7310 412638 6 API calls 7309->7310 7311 413910 __vbaErrorOverflow 7310->7311 7312 4126bd __vbaStrToAnsi 7310->7312 7313 413920 __vbaChkstk 7311->7313 7314 405ae8 7312->7314 7318 41396a __vbaOnError __vbaStrCmp 7313->7318 7315 4126dc __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr __vbaStrCmp __vbaStrCmp 7314->7315 7316 4128b7 7315->7316 7317 41273c 14 API calls 7315->7317 7320 4128c5 __vbaSetSystemError 7316->7320 7317->7316 7319 4139a1 __vbaStrCopy 7318->7319 7439 41399c __vbaFreeVar __vbaFreeVar __vbaFreeVar __vbaFreeVar __vbaFreeObj 7318->7439 7321 438890 124 API calls 7319->7321 7322 412914 7320->7322 7323 4128dd __vbaLenBstr 7320->7323 7325 4139bf __vbaStrMove __vbaStrCopy __vbaStrMove 7321->7325 7328 412922 __vbaSetSystemError 7322->7328 7323->7311 7326 4128f9 #616 __vbaStrMove 7323->7326 7327 437570 39 API calls 7325->7327 7326->7322 7329 413a0a __vbaStrMove __vbaStrCmp __vbaFreeStrList 7327->7329 7331 412960 7328->7331 7332 41293a __vbaStrCat __vbaStrMove 7328->7332 7330 413a59 __vbaStrCopy 7329->7330 7329->7439 7333 438890 124 API calls 7330->7333 7335 41296e __vbaSetSystemError 7331->7335 7332->7331 7334 413a77 __vbaStrMove __vbaStrCopy __vbaStrMove 7333->7334 7336 437570 39 API calls 7334->7336 7337 412986 __vbaStrCat __vbaStrMove 7335->7337 7338 4129ab 7335->7338 7339 413ac2 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7336->7339 7337->7338 7340 4129b9 __vbaSetSystemError 7338->7340 7341 413b11 __vbaStrCopy 7339->7341 7339->7439 7342 4129d1 7340->7342 7343 438890 124 API calls 7341->7343 7345 4129ef __vbaSetSystemError 7342->7345 7344 413b2f __vbaStrMove __vbaStrCopy __vbaStrMove 7343->7344 7346 437570 39 API calls 7344->7346 7347 412ab2 7345->7347 7348 412a0b __vbaStrCopy 7345->7348 7349 413b7a __vbaStrMove __vbaStrCmp __vbaFreeStrList 7346->7349 7353 412ac0 __vbaSetSystemError 7347->7353 7350 438890 124 API calls 7348->7350 7351 413bc9 __vbaStrCopy 7349->7351 7349->7439 7352 412a29 __vbaStrMove __vbaStrCopy __vbaStrMove 7350->7352 7354 438890 124 API calls 7351->7354 7355 4379a0 20 API calls 7352->7355 7358 412ad8 7353->7358 7356 413be7 __vbaStrMove __vbaStrCopy __vbaStrMove 7354->7356 7359 412a74 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 7355->7359 7357 437570 39 API calls 7356->7357 7360 413c32 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7357->7360 7363 412b6e __vbaSetSystemError 7358->7363 7366 412c9c 7358->7366 7359->7347 7361 413c81 __vbaStrCopy 7360->7361 7360->7439 7362 438890 124 API calls 7361->7362 7364 413c9f __vbaStrMove __vbaStrCopy __vbaStrMove 7362->7364 7365 412b8a 7363->7365 7363->7366 7368 437570 39 API calls 7364->7368 7369 412ba5 #608 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVarList 7365->7369 7373 412c20 6 API calls 7365->7373 7367 412d0a __vbaSetSystemError 7366->7367 7371 4130ac 7366->7371 7370 412d26 7367->7370 7367->7371 7372 413cea __vbaStrMove __vbaStrCmp __vbaFreeStrList 7368->7372 7369->7366 7374 412d3b 7370->7374 7375 4130be #608 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVarList 7370->7375 7371->7311 7376 413196 __vbaSetSystemError 7371->7376 7380 413224 7371->7380 7377 413d39 __vbaStrCopy 7372->7377 7372->7439 7373->7366 7374->7371 7381 412db2 __vbaStrCat __vbaStrMove 7374->7381 7382 412f62 __vbaStrCopy 7374->7382 7383 412eb5 __vbaStrCopy 7374->7383 7384 412d87 __vbaStrCat __vbaStrMove 7374->7384 7385 413037 __vbaStrCat __vbaStrMove 7374->7385 7386 413086 __vbaStrCat __vbaStrMove 7374->7386 7387 412e8a __vbaStrCat __vbaStrMove 7374->7387 7388 412ddd __vbaStrCopy 7374->7388 7389 41300f __vbaStrCat __vbaStrMove 7374->7389 7390 41305f __vbaStrCat __vbaStrMove 7374->7390 7375->7371 7376->7371 7378 4131ae #608 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVarList 7376->7378 7379 438890 124 API calls 7377->7379 7378->7371 7391 413d57 __vbaStrMove __vbaStrCopy __vbaStrMove 7379->7391 7392 413286 __vbaSetSystemError 7380->7392 7396 4133f8 7380->7396 7381->7371 7393 438890 124 API calls 7382->7393 7399 438890 124 API calls 7383->7399 7384->7371 7385->7371 7386->7371 7387->7371 7397 438890 124 API calls 7388->7397 7389->7371 7390->7371 7395 437570 39 API calls 7391->7395 7392->7396 7398 4132a2 7392->7398 7400 412f80 __vbaStrMove __vbaStrCopy __vbaStrMove 7393->7400 7394 4136da 7394->7304 7403 413da2 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7395->7403 7396->7394 7401 4135bd __vbaSetSystemError 7396->7401 7402 412dfb __vbaStrMove __vbaStrCopy __vbaStrMove 7397->7402 7398->7396 7404 41340d 7398->7404 7413 413501 __vbaStrCat __vbaStrMove 7398->7413 7414 413665 __vbaStrCat __vbaStrMove 7398->7414 7415 413487 __vbaStrCat __vbaStrMove 7398->7415 7417 413528 __vbaStrCat __vbaStrMove 7398->7417 7418 41368d __vbaStrCat __vbaStrMove 7398->7418 7420 4134b1 __vbaStrCat __vbaStrMove 7398->7420 7421 4136b5 __vbaStrCat __vbaStrMove 7398->7421 7423 4134d9 __vbaStrCat __vbaStrMove 7398->7423 7424 41345c __vbaStrCat __vbaStrMove 7398->7424 7425 41363e __vbaStrCat __vbaStrMove 7398->7425 7428 413383 __vbaStrCat __vbaStrMove 7398->7428 7429 413306 __vbaStrCat __vbaStrMove 7398->7429 7430 4133ab __vbaStrCat __vbaStrMove 7398->7430 7431 413331 __vbaStrCat __vbaStrMove 7398->7431 7432 4133d3 __vbaStrCat __vbaStrMove 7398->7432 7433 41335c __vbaStrCat __vbaStrMove 7398->7433 7405 412ed3 __vbaStrMove __vbaStrCopy __vbaStrMove 7399->7405 7406 4379a0 20 API calls 7400->7406 7401->7394 7435 4135d9 7401->7435 7408 4379a0 20 API calls 7402->7408 7407 413df1 __vbaStrCopy 7403->7407 7403->7439 7404->7396 7404->7413 7404->7414 7404->7415 7416 413766 __vbaStrCat __vbaStrMove 7404->7416 7404->7417 7404->7418 7419 41378d __vbaStrCat __vbaStrMove 7404->7419 7404->7420 7404->7421 7422 4137b5 __vbaStrCat __vbaStrMove 7404->7422 7404->7423 7404->7424 7404->7425 7426 41373e __vbaStrCat __vbaStrMove 7404->7426 7409 4379a0 20 API calls 7405->7409 7412 412fcc __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 7406->7412 7410 438890 124 API calls 7407->7410 7427 412e47 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 7408->7427 7411 412f1f __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 7409->7411 7434 413e0f __vbaStrMove __vbaStrCopy __vbaStrMove 7410->7434 7411->7371 7412->7371 7413->7396 7414->7394 7415->7396 7416->7394 7417->7396 7418->7394 7419->7394 7420->7396 7421->7394 7422->7394 7423->7396 7424->7396 7425->7394 7426->7394 7427->7371 7428->7396 7429->7396 7430->7396 7431->7396 7432->7396 7433->7396 7437 437570 39 API calls 7434->7437 7435->7394 7435->7414 7435->7416 7435->7418 7435->7419 7435->7421 7435->7422 7435->7425 7435->7426 7436 4136ef 7435->7436 7436->7394 7436->7416 7436->7419 7436->7422 7436->7426 7438 413e5a __vbaStrMove __vbaStrCmp __vbaFreeStrList 7437->7438 7438->7439 7440 413ea9 __vbaStrCopy 7438->7440 7439->7304 7441 438890 124 API calls 7440->7441 7442 413ec7 __vbaStrMove __vbaStrCopy __vbaStrMove 7441->7442 7443 437570 39 API calls 7442->7443 7444 413f12 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7443->7444 7444->7439 7445 413f61 __vbaStrCopy 7444->7445 7446 438890 124 API calls 7445->7446 7447 413f7f __vbaStrMove __vbaStrCopy __vbaStrMove 7446->7447 7448 437570 39 API calls 7447->7448 7449 413fca __vbaStrMove __vbaStrCmp __vbaFreeStrList 7448->7449 7449->7439 7450 414019 __vbaStrCopy 7449->7450 7451 438890 124 API calls 7450->7451 7452 414037 __vbaStrMove __vbaStrCopy __vbaStrMove 7451->7452 7453 4379a0 20 API calls 7452->7453 7454 41407c 12 API calls 7453->7454 7455 438890 124 API calls 7454->7455 7456 4141cd __vbaStrMove __vbaStrCopy __vbaStrMove 7455->7456 7457 4379a0 20 API calls 7456->7457 7458 414212 8 API calls 7457->7458 7459 414312 __vbaInStr 7458->7459 7460 41461d __vbaStrCopy 7458->7460 7459->7460 7461 414337 7459->7461 7462 438890 124 API calls 7460->7462 7464 414363 7461->7464 7465 414347 __vbaNew2 7461->7465 7463 41463b __vbaStrMove __vbaStrCopy __vbaStrMove 7462->7463 7466 4379a0 20 API calls 7463->7466 7472 4143a2 __vbaHresultCheckObj 7464->7472 7473 4143c5 7464->7473 7465->7464 7467 414680 8 API calls 7466->7467 7468 414780 __vbaInStr 7467->7468 7469 414a8b __vbaStrCopy 7467->7469 7468->7469 7470 4147a5 7468->7470 7471 438890 124 API calls 7469->7471 7474 4147d1 7470->7474 7475 4147b5 __vbaNew2 7470->7475 7476 414aa9 __vbaStrMove __vbaStrCopy __vbaStrMove 7471->7476 7472->7473 7481 4143fb __vbaHresultCheckObj 7473->7481 7482 41441e 7473->7482 7485 414810 __vbaHresultCheckObj 7474->7485 7486 414833 7474->7486 7475->7474 7477 4379a0 20 API calls 7476->7477 7478 414aee 8 API calls 7477->7478 7479 41506a __vbaStrCopy 7478->7479 7480 414bee 11 API calls 7478->7480 7483 438890 124 API calls 7479->7483 7480->7479 7484 414d84 7480->7484 7487 414428 __vbaFreeObj __vbaStrCopy 7481->7487 7482->7487 7488 415088 __vbaStrMove __vbaStrCopy __vbaStrMove 7483->7488 7489 414db0 7484->7489 7490 414d94 __vbaNew2 7484->7490 7485->7486 7498 414869 __vbaHresultCheckObj 7486->7498 7499 41488c 7486->7499 7491 438890 124 API calls 7487->7491 7492 4379a0 20 API calls 7488->7492 7505 414e12 7489->7505 7506 414def __vbaHresultCheckObj 7489->7506 7490->7489 7493 41444f __vbaStrMove __vbaStrCopy __vbaStrMove 7491->7493 7494 4150cd 8 API calls 7492->7494 7495 437570 39 API calls 7493->7495 7496 4154b3 __vbaStrCopy 7494->7496 7497 4151cd 7494->7497 7500 414494 __vbaStrMove 7495->7500 7504 438890 124 API calls 7496->7504 7501 4151f9 7497->7501 7502 4151dd __vbaNew2 7497->7502 7503 414896 __vbaFreeObj __vbaStrCopy 7498->7503 7499->7503 7507 4144c4 7500->7507 7508 4144a8 __vbaNew2 7500->7508 7519 415238 __vbaHresultCheckObj 7501->7519 7520 41525b 7501->7520 7502->7501 7510 438890 124 API calls 7503->7510 7509 4154d1 __vbaStrMove __vbaStrCopy __vbaStrMove 7504->7509 7515 414e48 __vbaHresultCheckObj 7505->7515 7516 414e6b 7505->7516 7506->7505 7517 414503 __vbaHresultCheckObj 7507->7517 7518 414526 7507->7518 7508->7507 7512 4379a0 20 API calls 7509->7512 7511 4148bd __vbaStrMove __vbaStrCopy __vbaStrMove 7510->7511 7513 437570 39 API calls 7511->7513 7514 415516 8 API calls 7512->7514 7521 414902 __vbaStrMove 7513->7521 7522 415616 7514->7522 7523 4158fc __vbaStrCopy 7514->7523 7524 414e75 __vbaFreeObj __vbaStrCopy 7515->7524 7516->7524 7527 414530 __vbaChkstk __vbaStrMove 7517->7527 7518->7527 7519->7520 7540 415291 __vbaHresultCheckObj 7520->7540 7541 4152b4 7520->7541 7525 414932 7521->7525 7526 414916 __vbaNew2 7521->7526 7529 415642 7522->7529 7530 415626 __vbaNew2 7522->7530 7528 438890 124 API calls 7523->7528 7531 438890 124 API calls 7524->7531 7548 414971 __vbaHresultCheckObj 7525->7548 7549 414994 7525->7549 7526->7525 7534 4145ae 7527->7534 7532 41591a __vbaStrMove __vbaStrCopy __vbaStrMove 7528->7532 7544 415681 __vbaHresultCheckObj 7529->7544 7545 4156a4 7529->7545 7530->7529 7533 414e9c __vbaStrMove __vbaStrCopy __vbaStrMove 7531->7533 7535 4379a0 20 API calls 7532->7535 7536 437570 39 API calls 7533->7536 7537 4145e2 7534->7537 7538 4145bf __vbaHresultCheckObj 7534->7538 7539 41595f 8 API calls 7535->7539 7547 414ee1 __vbaStrMove 7536->7547 7550 4145ec __vbaFreeStrList __vbaFreeObj 7537->7550 7538->7550 7542 415d45 __vbaStrCopy 7539->7542 7543 415a5f 7539->7543 7546 4152be __vbaFreeObj __vbaStrCopy 7540->7546 7541->7546 7551 438890 124 API calls 7542->7551 7554 415a8b 7543->7554 7555 415a6f __vbaNew2 7543->7555 7544->7545 7564 4156da __vbaHresultCheckObj 7545->7564 7565 4156fd 7545->7565 7556 438890 124 API calls 7546->7556 7552 414f11 7547->7552 7553 414ef5 __vbaNew2 7547->7553 7557 41499e __vbaChkstk __vbaStrMove 7548->7557 7549->7557 7550->7439 7558 415d63 __vbaStrMove __vbaStrCopy __vbaStrMove 7551->7558 7572 414f50 __vbaHresultCheckObj 7552->7572 7573 414f73 7552->7573 7553->7552 7574 415aca __vbaHresultCheckObj 7554->7574 7575 415aed 7554->7575 7555->7554 7559 4152e5 __vbaStrMove __vbaStrCopy __vbaStrMove 7556->7559 7562 414a1c 7557->7562 7560 4379a0 20 API calls 7558->7560 7561 437570 39 API calls 7559->7561 7563 415da8 8 API calls 7560->7563 7566 41532a __vbaStrMove 7561->7566 7567 414a50 7562->7567 7568 414a2d __vbaHresultCheckObj 7562->7568 7569 415ea8 7563->7569 7570 41618e __vbaStrCopy 7563->7570 7571 415707 __vbaFreeObj __vbaStrCopy 7564->7571 7565->7571 7576 41535a 7566->7576 7577 41533e __vbaNew2 7566->7577 7578 414a5a __vbaFreeStrList __vbaFreeObj 7567->7578 7568->7578 7580 415ed4 7569->7580 7581 415eb8 __vbaNew2 7569->7581 7579 438890 124 API calls 7570->7579 7582 438890 124 API calls 7571->7582 7583 414f7d __vbaChkstk __vbaStrMove 7572->7583 7573->7583 7574->7575 7593 415b23 __vbaHresultCheckObj 7575->7593 7594 415b46 7575->7594 7595 415399 __vbaHresultCheckObj 7576->7595 7596 4153bc 7576->7596 7577->7576 7578->7439 7585 4161ac __vbaStrMove __vbaStrCopy __vbaStrMove 7579->7585 7601 415f13 __vbaHresultCheckObj 7580->7601 7602 415f36 7580->7602 7581->7580 7584 41572e __vbaStrMove __vbaStrCopy __vbaStrMove 7582->7584 7586 414ffb 7583->7586 7588 437570 39 API calls 7584->7588 7587 4379a0 20 API calls 7585->7587 7590 41500c __vbaHresultCheckObj 7586->7590 7591 41502f 7586->7591 7592 4161f1 8 API calls 7587->7592 7589 415773 __vbaStrMove 7588->7589 7604 4157a3 7589->7604 7605 415787 __vbaNew2 7589->7605 7598 415039 __vbaFreeStrList __vbaFreeObj 7590->7598 7591->7598 7599 4162f1 7592->7599 7600 4165d7 __vbaStrCopy 7592->7600 7603 415b50 __vbaFreeObj __vbaStrCopy 7593->7603 7594->7603 7597 4153c6 __vbaChkstk __vbaStrMove 7595->7597 7596->7597 7611 415444 7597->7611 7598->7439 7607 416301 __vbaNew2 7599->7607 7608 41631d 7599->7608 7606 438890 124 API calls 7600->7606 7601->7602 7617 415f6c __vbaHresultCheckObj 7602->7617 7618 415f8f 7602->7618 7609 438890 124 API calls 7603->7609 7620 4157e2 __vbaHresultCheckObj 7604->7620 7621 415805 7604->7621 7605->7604 7612 4165f5 __vbaStrMove __vbaStrCopy __vbaStrMove 7606->7612 7607->7608 7627 41635c __vbaHresultCheckObj 7608->7627 7628 41637f 7608->7628 7610 415b77 __vbaStrMove __vbaStrCopy __vbaStrMove 7609->7610 7614 437570 39 API calls 7610->7614 7615 415455 __vbaHresultCheckObj 7611->7615 7616 415478 7611->7616 7613 4379a0 20 API calls 7612->7613 7623 41663a 8 API calls 7613->7623 7619 415bbc __vbaStrMove 7614->7619 7622 415482 __vbaFreeStrList __vbaFreeObj 7615->7622 7616->7622 7625 415f99 __vbaFreeObj __vbaStrCopy 7617->7625 7618->7625 7629 415bd0 __vbaNew2 7619->7629 7630 415bec 7619->7630 7626 41580f __vbaChkstk __vbaStrMove 7620->7626 7621->7626 7622->7439 7623->7439 7624 41673a 7623->7624 7632 416766 7624->7632 7633 41674a __vbaNew2 7624->7633 7631 438890 124 API calls 7625->7631 7635 41588d 7626->7635 7627->7628 7641 4163b5 __vbaHresultCheckObj 7628->7641 7642 4163d8 7628->7642 7629->7630 7643 415c2b __vbaHresultCheckObj 7630->7643 7644 415c4e 7630->7644 7634 415fc0 __vbaStrMove __vbaStrCopy __vbaStrMove 7631->7634 7645 4167a5 __vbaHresultCheckObj 7632->7645 7646 4167c8 7632->7646 7633->7632 7636 437570 39 API calls 7634->7636 7637 4158c1 7635->7637 7638 41589e __vbaHresultCheckObj 7635->7638 7639 416005 __vbaStrMove 7636->7639 7640 4158cb __vbaFreeStrList __vbaFreeObj 7637->7640 7638->7640 7648 416035 7639->7648 7649 416019 __vbaNew2 7639->7649 7640->7439 7647 4163e2 __vbaFreeObj __vbaStrCopy 7641->7647 7642->7647 7650 415c58 __vbaChkstk __vbaStrMove 7643->7650 7644->7650 7645->7646 7657 416821 7646->7657 7658 4167fe __vbaHresultCheckObj 7646->7658 7651 438890 124 API calls 7647->7651 7660 416074 __vbaHresultCheckObj 7648->7660 7661 416097 7648->7661 7649->7648 7653 415cd6 7650->7653 7652 416409 __vbaStrMove __vbaStrCopy __vbaStrMove 7651->7652 7654 437570 39 API calls 7652->7654 7655 415ce7 __vbaHresultCheckObj 7653->7655 7656 415d0a 7653->7656 7659 41644e __vbaStrMove 7654->7659 7662 415d14 __vbaFreeStrList __vbaFreeObj 7655->7662 7656->7662 7663 41682b __vbaFreeObj __vbaStrCopy 7657->7663 7658->7663 7665 416462 __vbaNew2 7659->7665 7666 41647e 7659->7666 7664 4160a1 __vbaChkstk __vbaStrMove 7660->7664 7661->7664 7662->7439 7667 438890 124 API calls 7663->7667 7669 41611f 7664->7669 7665->7666 7673 4164e0 7666->7673 7674 4164bd __vbaHresultCheckObj 7666->7674 7668 416852 __vbaStrMove __vbaStrCopy __vbaStrMove 7667->7668 7672 437570 39 API calls 7668->7672 7670 416130 __vbaHresultCheckObj 7669->7670 7671 416153 7669->7671 7676 41615d __vbaFreeStrList __vbaFreeObj 7670->7676 7671->7676 7675 416897 __vbaStrMove 7672->7675 7677 4164ea __vbaChkstk __vbaStrMove 7673->7677 7674->7677 7678 4168c7 7675->7678 7679 4168ab __vbaNew2 7675->7679 7676->7439 7680 416568 7677->7680 7683 416906 __vbaHresultCheckObj 7678->7683 7684 416929 7678->7684 7679->7678 7681 416579 __vbaHresultCheckObj 7680->7681 7682 41659c 7680->7682 7685 4165a6 __vbaFreeStrList __vbaFreeObj 7681->7685 7682->7685 7686 416933 __vbaChkstk __vbaStrMove 7683->7686 7684->7686 7685->7439 7687 4169b1 7686->7687 7688 4169c2 __vbaHresultCheckObj 7687->7688 7689 4169e5 7687->7689 7690 4169ef __vbaFreeStrList __vbaFreeObj 7688->7690 7689->7690 7690->7439 7692 4388f8 7691->7692 7693 4389a6 7692->7693 7694 438904 9 API calls 7692->7694 7693->7296 7694->7692 7695 4389f4 __vbaErrorOverflow 7694->7695 7696 438a00 __vbaChkstk __vbaOnError __vbaVarVargNofree __vbaVarSub __vbaI2Var 7695->7696 7703 438aa3 7696->7703 7697 438ba7 7697->7296 7698 438bcc __vbaErrorOverflow 7700 438be0 __vbaChkstk __vbaOnError 7698->7700 7699 438afb 6 API calls 7699->7703 7701 438c43 7700->7701 7702 438c54 __vbaLbound 7700->7702 7704 438c8c __vbaUbound 7701->7704 7706 438c7b 7701->7706 7702->7701 7703->7697 7703->7698 7703->7699 7704->7706 7705 438f15 __vbaErrorOverflow 7707 438f20 __vbaChkstk __vbaOnError #645 __vbaStrMove 7705->7707 7706->7705 7708 438cc9 #525 __vbaStrMove 7706->7708 7709 438fb3 __vbaStrCmp 7707->7709 7710 438d21 7708->7710 7711 438fd1 __vbaStrCmp __vbaStrCmp 7709->7711 7712 43916c __vbaAryMove 7709->7712 7713 438eab __vbaStrCopy 7710->7713 7714 438d2d __vbaAryLock 7710->7714 7716 439132 #645 __vbaStrMove __vbaFreeVar 7711->7716 7717 43900c __vbaStrCat __vbaStrMove #579 __vbaFreeStr 7711->7717 7715 4391b1 __vbaAryDestruct __vbaFreeStr 7712->7715 7719 438eec __vbaFreeStr __vbaFreeStr 7713->7719 7720 438d4a 7714->7720 7721 438d8d __vbaGenerateBoundsError 7714->7721 7715->7296 7716->7709 7717->7716 7718 43905b __vbaRedimPreserve 7717->7718 7722 4390cc __vbaGenerateBoundsError 7718->7722 7733 43908e 7718->7733 7719->7296 7720->7721 7724 438d53 7720->7724 7723 438d99 #572 __vbaStrMove __vbaAryUnlock __vbaStrMove __vbaLenBstr 7721->7723 7727 4390d5 __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStr 7722->7727 7725 438e1e 7723->7725 7726 438dfd __vbaStrCat __vbaStrMove 7723->7726 7728 438d76 __vbaGenerateBoundsError 7724->7728 7729 438d6a 7724->7729 7731 438e82 __vbaMidStmtBstr 7725->7731 7732 438e2d __vbaStrCat __vbaStrMove __vbaMidStmtBstr __vbaFreeStr 7725->7732 7726->7725 7727->7733 7734 4391dd __vbaErrorOverflow 7727->7734 7728->7729 7729->7723 7730 4390b8 __vbaGenerateBoundsError 7730->7733 7735 438e7d 7731->7735 7732->7705 7732->7735 7733->7716 7733->7722 7733->7727 7733->7730 7736 4391f0 __vbaChkstk __vbaOnError __vbaNew __vbaObjSet __vbaStrCopy 7734->7736 7735->7713 7737 438890 20 API calls 7736->7737 7738 43927f __vbaStrMove __vbaStrCopy __vbaStrMove 7737->7738 7739 4379a0 20 API calls 7738->7739 7740 4392be __vbaStrMove __vbaStrMove 7739->7740 7741 4392f6 7740->7741 7742 439321 7741->7742 7743 439301 __vbaHresultCheckObj 7741->7743 7744 43932b __vbaObjSet __vbaFreeStrList __vbaStrCopy 7742->7744 7743->7744 7745 438890 20 API calls 7744->7745 7746 439387 __vbaStrMove __vbaStrCopy __vbaStrMove 7745->7746 7747 4379a0 20 API calls 7746->7747 7748 4393cc __vbaStrMove 7747->7748 7749 4393e7 7748->7749 7750 439412 7749->7750 7751 4393f2 __vbaHresultCheckObj 7749->7751 7752 43941c __vbaFreeStrList 7750->7752 7751->7752 7753 439454 7752->7753 7754 43945f __vbaHresultCheckObj 7753->7754 7755 43947c 7753->7755 7754->7755 7756 4394c5 7755->7756 7757 4394a8 __vbaHresultCheckObj 7755->7757 7758 4394cf 7 API calls 7756->7758 7757->7758 7759 439591 __vbaFreeObj __vbaFreeObj 7758->7759 7759->7296 7766 4379f7 7760->7766 7761 437b03 __vbaStrCopy 7765 437b42 __vbaFreeStr 7761->7765 7762 437a00 6 API calls 7763 437b62 __vbaErrorOverflow 7762->7763 7764 437a6f 10 API calls 7762->7764 7764->7763 7764->7766 7765->7300 7766->7761 7766->7762 7768 405b8d 7767->7768 8095 410060 __vbaChkstk 8096 4100b5 __vbaOnError 8095->8096 8097 4100de 8096->8097 8101 432ea0 8102 432eca __vbaErrorOverflow 8101->8102 8103 43b7a0 8123 43bc70 8103->8123 8105 43b814 __vbaLenBstr 8106 43bbf0 __vbaFreeStr __vbaFreeStr 8105->8106 8107 43b838 6 API calls 8105->8107 8109 43b952 __vbaStrCmp 8107->8109 8120 43b80e 8107->8120 8111 43ba05 __vbaStrCmp 8109->8111 8109->8120 8110 43bc64 __vbaErrorOverflow 8112 43ba4e 10 API calls 8111->8112 8111->8120 8113 43bacd __vbaStrCat __vbaStrMove 8112->8113 8112->8120 8113->8120 8114 43bc70 14 API calls 8117 43b8dd #632 __vbaVarTstNe __vbaFreeVarList 8114->8117 8115 43bc70 14 API calls 8118 43b990 #632 __vbaVarTstNe __vbaFreeVarList 8115->8118 8116 43ba34 __vbaStrCat __vbaStrMove 8116->8105 8119 43baf4 12 API calls 8117->8119 8117->8120 8118->8120 8121 43bb6e 12 API calls 8118->8121 8122 43bbe5 __vbaFreeStrList 8119->8122 8120->8105 8120->8106 8120->8110 8120->8114 8120->8115 8120->8116 8121->8122 8122->8106 8124 43bcc2 __vbaLenBstr 8123->8124 8125 43be9b __vbaFreeVar 8124->8125 8126 43bce9 #632 __vbaVarMove __vbaFreeVar __vbaVarTstEq 8124->8126 8125->8120 8127 43bd54 __vbaVarTstEq 8126->8127 8136 43be10 8126->8136 8129 43bd74 __vbaVarTstEq 8127->8129 8127->8136 8130 43bd94 __vbaVarTstEq 8129->8130 8129->8136 8132 43bdb4 __vbaVarTstEq 8130->8132 8130->8136 8131 43bed6 __vbaErrorOverflow 8133 43bdd4 __vbaVarTstEq 8132->8133 8132->8136 8134 43bdf4 __vbaVarTstEq 8133->8134 8133->8136 8135 43be42 __vbaVarTstEq 8134->8135 8134->8136 8135->8136 8136->8124 8136->8125 8136->8131 8137 4033e4 8138 4033e9 __vbaExceptHandler 8137->8138 7771 404e48 7772 413920 __vbaChkstk 7771->7772 7773 41396a __vbaOnError __vbaStrCmp 7772->7773 7774 4139a1 __vbaStrCopy 7773->7774 7775 41399c __vbaFreeVar __vbaFreeVar __vbaFreeVar __vbaFreeVar __vbaFreeObj 7773->7775 7776 438890 124 API calls 7774->7776 7778 4139bf __vbaStrMove __vbaStrCopy __vbaStrMove 7776->7778 8062 437570 __vbaAryConstruct2 __vbaAryConstruct2 7778->8062 7780 413a0a __vbaStrMove __vbaStrCmp __vbaFreeStrList 7780->7775 7781 413a59 __vbaStrCopy 7780->7781 7782 438890 124 API calls 7781->7782 7783 413a77 __vbaStrMove __vbaStrCopy __vbaStrMove 7782->7783 7784 437570 39 API calls 7783->7784 7785 413ac2 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7784->7785 7785->7775 7786 413b11 __vbaStrCopy 7785->7786 7787 438890 124 API calls 7786->7787 7788 413b2f __vbaStrMove __vbaStrCopy __vbaStrMove 7787->7788 7789 437570 39 API calls 7788->7789 7790 413b7a __vbaStrMove __vbaStrCmp __vbaFreeStrList 7789->7790 7790->7775 7791 413bc9 __vbaStrCopy 7790->7791 7792 438890 124 API calls 7791->7792 7793 413be7 __vbaStrMove __vbaStrCopy __vbaStrMove 7792->7793 7794 437570 39 API calls 7793->7794 7795 413c32 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7794->7795 7795->7775 7796 413c81 __vbaStrCopy 7795->7796 7797 438890 124 API calls 7796->7797 7798 413c9f __vbaStrMove __vbaStrCopy __vbaStrMove 7797->7798 7799 437570 39 API calls 7798->7799 7800 413cea __vbaStrMove __vbaStrCmp __vbaFreeStrList 7799->7800 7800->7775 7801 413d39 __vbaStrCopy 7800->7801 7802 438890 124 API calls 7801->7802 7803 413d57 __vbaStrMove __vbaStrCopy __vbaStrMove 7802->7803 7804 437570 39 API calls 7803->7804 7805 413da2 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7804->7805 7805->7775 7806 413df1 __vbaStrCopy 7805->7806 7807 438890 124 API calls 7806->7807 7808 413e0f __vbaStrMove __vbaStrCopy __vbaStrMove 7807->7808 7809 437570 39 API calls 7808->7809 7810 413e5a __vbaStrMove __vbaStrCmp __vbaFreeStrList 7809->7810 7810->7775 7811 413ea9 __vbaStrCopy 7810->7811 7812 438890 124 API calls 7811->7812 7813 413ec7 __vbaStrMove __vbaStrCopy __vbaStrMove 7812->7813 7814 437570 39 API calls 7813->7814 7815 413f12 __vbaStrMove __vbaStrCmp __vbaFreeStrList 7814->7815 7815->7775 7816 413f61 __vbaStrCopy 7815->7816 7817 438890 124 API calls 7816->7817 7818 413f7f __vbaStrMove __vbaStrCopy __vbaStrMove 7817->7818 7819 437570 39 API calls 7818->7819 7820 413fca __vbaStrMove __vbaStrCmp __vbaFreeStrList 7819->7820 7820->7775 7821 414019 __vbaStrCopy 7820->7821 7822 438890 124 API calls 7821->7822 7823 414037 __vbaStrMove __vbaStrCopy __vbaStrMove 7822->7823 7824 4379a0 20 API calls 7823->7824 7825 41407c 12 API calls 7824->7825 7826 438890 124 API calls 7825->7826 7827 4141cd __vbaStrMove __vbaStrCopy __vbaStrMove 7826->7827 7828 4379a0 20 API calls 7827->7828 7829 414212 8 API calls 7828->7829 7830 414312 __vbaInStr 7829->7830 7831 41461d __vbaStrCopy 7829->7831 7830->7831 7832 414337 7830->7832 7833 438890 124 API calls 7831->7833 7834 414363 7832->7834 7835 414347 __vbaNew2 7832->7835 7836 41463b __vbaStrMove __vbaStrCopy __vbaStrMove 7833->7836 7843 4143a2 __vbaHresultCheckObj 7834->7843 7844 4143c5 7834->7844 7835->7834 7837 4379a0 20 API calls 7836->7837 7838 414680 8 API calls 7837->7838 7839 414780 __vbaInStr 7838->7839 7840 414a8b __vbaStrCopy 7838->7840 7839->7840 7841 4147a5 7839->7841 7842 438890 124 API calls 7840->7842 7845 4147d1 7841->7845 7846 4147b5 __vbaNew2 7841->7846 7847 414aa9 __vbaStrMove __vbaStrCopy __vbaStrMove 7842->7847 7843->7844 7852 4143fb __vbaHresultCheckObj 7844->7852 7853 41441e 7844->7853 7856 414810 __vbaHresultCheckObj 7845->7856 7857 414833 7845->7857 7846->7845 7848 4379a0 20 API calls 7847->7848 7849 414aee 8 API calls 7848->7849 7850 41506a __vbaStrCopy 7849->7850 7851 414bee 11 API calls 7849->7851 7854 438890 124 API calls 7850->7854 7851->7850 7855 414d84 7851->7855 7858 414428 __vbaFreeObj __vbaStrCopy 7852->7858 7853->7858 7859 415088 __vbaStrMove __vbaStrCopy __vbaStrMove 7854->7859 7860 414db0 7855->7860 7861 414d94 __vbaNew2 7855->7861 7856->7857 7869 414869 __vbaHresultCheckObj 7857->7869 7870 41488c 7857->7870 7862 438890 124 API calls 7858->7862 7863 4379a0 20 API calls 7859->7863 7875 414e12 7860->7875 7876 414def __vbaHresultCheckObj 7860->7876 7861->7860 7864 41444f __vbaStrMove __vbaStrCopy __vbaStrMove 7862->7864 7865 4150cd 8 API calls 7863->7865 7866 437570 39 API calls 7864->7866 7867 4154b3 __vbaStrCopy 7865->7867 7868 4151cd 7865->7868 7871 414494 __vbaStrMove 7866->7871 7872 438890 124 API calls 7867->7872 7873 4151f9 7868->7873 7874 4151dd __vbaNew2 7868->7874 7877 414896 __vbaFreeObj __vbaStrCopy 7869->7877 7870->7877 7878 4144c4 7871->7878 7879 4144a8 __vbaNew2 7871->7879 7880 4154d1 __vbaStrMove __vbaStrCopy __vbaStrMove 7872->7880 7893 415238 __vbaHresultCheckObj 7873->7893 7894 41525b 7873->7894 7874->7873 7886 414e48 __vbaHresultCheckObj 7875->7886 7887 414e6b 7875->7887 7876->7875 7881 438890 124 API calls 7877->7881 7889 414503 __vbaHresultCheckObj 7878->7889 7890 414526 7878->7890 7879->7878 7882 4379a0 20 API calls 7880->7882 7883 4148bd __vbaStrMove __vbaStrCopy __vbaStrMove 7881->7883 7885 415516 8 API calls 7882->7885 7884 437570 39 API calls 7883->7884 7888 414902 __vbaStrMove 7884->7888 7891 415616 7885->7891 7892 4158fc __vbaStrCopy 7885->7892 7895 414e75 __vbaFreeObj __vbaStrCopy 7886->7895 7887->7895 7896 414932 7888->7896 7897 414916 __vbaNew2 7888->7897 7898 414530 __vbaChkstk __vbaStrMove 7889->7898 7890->7898 7900 415642 7891->7900 7901 415626 __vbaNew2 7891->7901 7899 438890 124 API calls 7892->7899 7893->7894 7908 415291 __vbaHresultCheckObj 7894->7908 7909 4152b4 7894->7909 7902 438890 124 API calls 7895->7902 7919 414971 __vbaHresultCheckObj 7896->7919 7920 414994 7896->7920 7897->7896 7905 4145ae 7898->7905 7903 41591a __vbaStrMove __vbaStrCopy __vbaStrMove 7899->7903 7915 415681 __vbaHresultCheckObj 7900->7915 7916 4156a4 7900->7916 7901->7900 7904 414e9c __vbaStrMove __vbaStrCopy __vbaStrMove 7902->7904 7906 4379a0 20 API calls 7903->7906 7910 437570 39 API calls 7904->7910 7911 4145e2 7905->7911 7912 4145bf __vbaHresultCheckObj 7905->7912 7907 41595f 8 API calls 7906->7907 7913 415d45 __vbaStrCopy 7907->7913 7914 415a5f 7907->7914 7917 4152be __vbaFreeObj __vbaStrCopy 7908->7917 7909->7917 7918 414ee1 __vbaStrMove 7910->7918 7921 4145ec __vbaFreeStrList __vbaFreeObj 7911->7921 7912->7921 7922 438890 124 API calls 7913->7922 7923 415a8b 7914->7923 7924 415a6f __vbaNew2 7914->7924 7915->7916 7935 4156da __vbaHresultCheckObj 7916->7935 7936 4156fd 7916->7936 7925 438890 124 API calls 7917->7925 7926 414f11 7918->7926 7927 414ef5 __vbaNew2 7918->7927 7928 41499e __vbaChkstk __vbaStrMove 7919->7928 7920->7928 7921->7775 7929 415d63 __vbaStrMove __vbaStrCopy __vbaStrMove 7922->7929 7942 415aca __vbaHresultCheckObj 7923->7942 7943 415aed 7923->7943 7924->7923 7930 4152e5 __vbaStrMove __vbaStrCopy __vbaStrMove 7925->7930 7947 414f50 __vbaHresultCheckObj 7926->7947 7948 414f73 7926->7948 7927->7926 7933 414a1c 7928->7933 7931 4379a0 20 API calls 7929->7931 7932 437570 39 API calls 7930->7932 7934 415da8 8 API calls 7931->7934 7937 41532a __vbaStrMove 7932->7937 7938 414a50 7933->7938 7939 414a2d __vbaHresultCheckObj 7933->7939 7940 415ea8 7934->7940 7941 41618e __vbaStrCopy 7934->7941 7944 415707 __vbaFreeObj __vbaStrCopy 7935->7944 7936->7944 7945 41535a 7937->7945 7946 41533e __vbaNew2 7937->7946 7949 414a5a __vbaFreeStrList __vbaFreeObj 7938->7949 7939->7949 7951 415ed4 7940->7951 7952 415eb8 __vbaNew2 7940->7952 7950 438890 124 API calls 7941->7950 7942->7943 7965 415b23 __vbaHresultCheckObj 7943->7965 7966 415b46 7943->7966 7953 438890 124 API calls 7944->7953 7960 415399 __vbaHresultCheckObj 7945->7960 7961 4153bc 7945->7961 7946->7945 7954 414f7d __vbaChkstk __vbaStrMove 7947->7954 7948->7954 7949->7775 7955 4161ac __vbaStrMove __vbaStrCopy __vbaStrMove 7950->7955 7972 415f13 __vbaHresultCheckObj 7951->7972 7973 415f36 7951->7973 7952->7951 7956 41572e __vbaStrMove __vbaStrCopy __vbaStrMove 7953->7956 7957 414ffb 7954->7957 7958 4379a0 20 API calls 7955->7958 7959 437570 39 API calls 7956->7959 7962 41500c __vbaHresultCheckObj 7957->7962 7963 41502f 7957->7963 7964 4161f1 8 API calls 7958->7964 7967 415773 __vbaStrMove 7959->7967 7968 4153c6 __vbaChkstk __vbaStrMove 7960->7968 7961->7968 7969 415039 __vbaFreeStrList __vbaFreeObj 7962->7969 7963->7969 7970 4162f1 7964->7970 7971 4165d7 __vbaStrCopy 7964->7971 7974 415b50 __vbaFreeObj __vbaStrCopy 7965->7974 7966->7974 7975 4157a3 7967->7975 7976 415787 __vbaNew2 7967->7976 7982 415444 7968->7982 7969->7775 7978 416301 __vbaNew2 7970->7978 7979 41631d 7970->7979 7977 438890 124 API calls 7971->7977 7972->7973 7988 415f6c __vbaHresultCheckObj 7973->7988 7989 415f8f 7973->7989 7980 438890 124 API calls 7974->7980 7991 4157e2 __vbaHresultCheckObj 7975->7991 7992 415805 7975->7992 7976->7975 7983 4165f5 __vbaStrMove __vbaStrCopy __vbaStrMove 7977->7983 7978->7979 8000 41635c __vbaHresultCheckObj 7979->8000 8001 41637f 7979->8001 7981 415b77 __vbaStrMove __vbaStrCopy __vbaStrMove 7980->7981 7984 437570 39 API calls 7981->7984 7985 415455 __vbaHresultCheckObj 7982->7985 7986 415478 7982->7986 7987 4379a0 20 API calls 7983->7987 7990 415bbc __vbaStrMove 7984->7990 7993 415482 __vbaFreeStrList __vbaFreeObj 7985->7993 7986->7993 7994 41663a 8 API calls 7987->7994 7995 415f99 __vbaFreeObj __vbaStrCopy 7988->7995 7989->7995 7996 415bd0 __vbaNew2 7990->7996 7997 415bec 7990->7997 7998 41580f __vbaChkstk __vbaStrMove 7991->7998 7992->7998 7993->7775 7994->7775 7999 41673a 7994->7999 8002 438890 124 API calls 7995->8002 7996->7997 8013 415c2b __vbaHresultCheckObj 7997->8013 8014 415c4e 7997->8014 8006 41588d 7998->8006 8003 416766 7999->8003 8004 41674a __vbaNew2 7999->8004 8000->8001 8010 4163b5 __vbaHresultCheckObj 8001->8010 8011 4163d8 8001->8011 8005 415fc0 __vbaStrMove __vbaStrCopy __vbaStrMove 8002->8005 8016 4167a5 __vbaHresultCheckObj 8003->8016 8017 4167c8 8003->8017 8004->8003 8007 437570 39 API calls 8005->8007 8008 4158c1 8006->8008 8009 41589e __vbaHresultCheckObj 8006->8009 8012 416005 __vbaStrMove 8007->8012 8015 4158cb __vbaFreeStrList __vbaFreeObj 8008->8015 8009->8015 8018 4163e2 __vbaFreeObj __vbaStrCopy 8010->8018 8011->8018 8019 416035 8012->8019 8020 416019 __vbaNew2 8012->8020 8021 415c58 __vbaChkstk __vbaStrMove 8013->8021 8014->8021 8015->7775 8016->8017 8028 416821 8017->8028 8029 4167fe __vbaHresultCheckObj 8017->8029 8022 438890 124 API calls 8018->8022 8031 416074 __vbaHresultCheckObj 8019->8031 8032 416097 8019->8032 8020->8019 8024 415cd6 8021->8024 8023 416409 __vbaStrMove __vbaStrCopy __vbaStrMove 8022->8023 8025 437570 39 API calls 8023->8025 8026 415ce7 __vbaHresultCheckObj 8024->8026 8027 415d0a 8024->8027 8030 41644e __vbaStrMove 8025->8030 8033 415d14 __vbaFreeStrList __vbaFreeObj 8026->8033 8027->8033 8034 41682b __vbaFreeObj __vbaStrCopy 8028->8034 8029->8034 8035 416462 __vbaNew2 8030->8035 8036 41647e 8030->8036 8037 4160a1 __vbaChkstk __vbaStrMove 8031->8037 8032->8037 8033->7775 8038 438890 124 API calls 8034->8038 8035->8036 8044 4164e0 8036->8044 8045 4164bd __vbaHresultCheckObj 8036->8045 8039 41611f 8037->8039 8040 416852 __vbaStrMove __vbaStrCopy __vbaStrMove 8038->8040 8041 416130 __vbaHresultCheckObj 8039->8041 8042 416153 8039->8042 8043 437570 39 API calls 8040->8043 8046 41615d __vbaFreeStrList __vbaFreeObj 8041->8046 8042->8046 8047 416897 __vbaStrMove 8043->8047 8048 4164ea __vbaChkstk __vbaStrMove 8044->8048 8045->8048 8046->7775 8049 4168c7 8047->8049 8050 4168ab __vbaNew2 8047->8050 8051 416568 8048->8051 8054 416906 __vbaHresultCheckObj 8049->8054 8055 416929 8049->8055 8050->8049 8052 416579 __vbaHresultCheckObj 8051->8052 8053 41659c 8051->8053 8056 4165a6 __vbaFreeStrList __vbaFreeObj 8052->8056 8053->8056 8057 416933 __vbaChkstk __vbaStrMove 8054->8057 8055->8057 8056->7775 8058 4169b1 8057->8058 8059 4169c2 __vbaHresultCheckObj 8058->8059 8060 4169e5 8058->8060 8061 4169ef __vbaFreeStrList __vbaFreeObj 8059->8061 8060->8061 8061->7775 8063 4375e3 8062->8063 8064 437692 8063->8064 8065 4375f8 __vbaGenerateBoundsError 8063->8065 8066 4375fe __vbaUI1I4 8063->8066 8067 43775b __vbaLenBstr 8064->8067 8071 437978 __vbaErrorOverflow 8064->8071 8072 4376b9 __vbaGenerateBoundsError 8064->8072 8073 4376c3 __vbaGenerateBoundsError 8064->8073 8077 437705 __vbaGenerateBoundsError 8064->8077 8078 437715 __vbaGenerateBoundsError 8064->8078 8079 437723 __vbaGenerateBoundsError 8064->8079 8081 43773a __vbaGenerateBoundsError 8064->8081 8065->8066 8068 437622 __vbaGenerateBoundsError 8066->8068 8069 437628 __vbaLenBstr 8066->8069 8087 437778 8067->8087 8068->8069 8070 437645 6 API calls 8069->8070 8069->8071 8070->8063 8070->8071 8072->8064 8073->8064 8074 437900 __vbaAryDestruct __vbaAryDestruct 8074->7780 8076 4377b0 __vbaGenerateBoundsError 8076->8087 8077->8064 8078->8064 8079->8064 8080 4377dc __vbaGenerateBoundsError 8080->8087 8081->8064 8082 4377ef __vbaGenerateBoundsError 8082->8087 8083 4377f9 __vbaGenerateBoundsError 8083->8087 8084 43780c __vbaGenerateBoundsError 8084->8087 8085 43782d __vbaGenerateBoundsError 8085->8087 8086 437837 __vbaGenerateBoundsError 8086->8087 8087->8071 8087->8074 8087->8076 8087->8080 8087->8082 8087->8083 8087->8084 8087->8085 8087->8086 8088 437868 __vbaGenerateBoundsError 8087->8088 8089 43786e #631 __vbaStrMove #516 8087->8089 8090 4378aa 6 API calls 8087->8090 8088->8089 8089->8087 8090->8071 8090->8087 7769 403cfc #100 7770 403d60 7769->7770

                                                              Executed Functions

                                                              Function 0043D2F0 Relevance: 54.2, APIs: 36, Instructions: 236filenetworkCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaFixstrConstruct.MSVBVM60(00000100,?,6D41D8B1,6D41D83C,00000000), ref: 0043D33C
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4), ref: 0043D354
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,0298004C,0040524C,00000014), ref: 0043D379
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB1C,00000060), ref: 0043D39D
                                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000001,00000000,00000000,00000000), ref: 0043D3B0
                                                              • __vbaSetSystemError.MSVBVM60(00000000), ref: 0043D3C4
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043D3D6
                                                              • __vbaFreeObj.MSVBVM60 ref: 0043D3DE
                                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,04000000,00000000), ref: 0043D3FD
                                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000,?,00000000,00000000,04000000,00000000), ref: 0043D40C
                                                              • __vbaStrToUnicode.MSVBVM60(00403190,?,?,00000000,00000000,04000000,00000000), ref: 0043D416
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,00000000,04000000,00000000), ref: 0043D422
                                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 0043D444
                                                              • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0043D451
                                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0043D45B
                                                              • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0043D46E
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043D47A
                                                              • __vbaStrCopy.MSVBVM60(?,04000000,00000000), ref: 0043D485
                                                              • __vbaStrToAnsi.MSVBVM60(?,?,00000100,?), ref: 0043D4A7
                                                              • InternetReadFile.WININET(?,00000000), ref: 0043D4B7
                                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 0043D4C1
                                                              • __vbaLsetFixstr.MSVBVM60(00000000,?,00000000), ref: 0043D4CE
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043D4DA
                                                              • __vbaStrCopy.MSVBVM60(00000001,?), ref: 0043D4F8
                                                              • #631.MSVBVM60(00000000), ref: 0043D4FF
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D50A
                                                              • __vbaLsetFixstr.MSVBVM60(00000000,?,?), ref: 0043D51A
                                                              • __vbaStrCat.MSVBVM60(?,?), ref: 0043D524
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D52F
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043D53F
                                                              • __vbaSetSystemError.MSVBVM60 ref: 0043D54C
                                                              • #598.MSVBVM60 ref: 0043D559
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 0043D56D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043D575
                                                              • __vbaFreeStr.MSVBVM60(0043D5BF), ref: 0043D5B7
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043D5BC
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$ErrorSystem$AnsiFixstrList$CopyLsetUnicode$CheckHresultMove$#598#631ConstructFileInternetNew2Read
                                                              • String ID:
                                                              • API String ID: 2099816023-0
                                                              • Opcode ID: 524e124877bc37dcf9b1184887336e79103ab1016a0d846978c83aa0df34eb21
                                                              • Instruction ID: d384bfb33a3bc620ae76a5f822bcc066e77425dc072161e09f152f1785ccec20
                                                              • Opcode Fuzzy Hash: 524e124877bc37dcf9b1184887336e79103ab1016a0d846978c83aa0df34eb21
                                                              • Instruction Fuzzy Hash: E881FD75D00209AFDB04EBA4ED85EEEBB7DEF48704F10801AF901B72A0DA74A945CF64
                                                              Function 0041EAC0 Relevance: 1466.5, APIs: 730, Strings: 105, Instructions: 5257COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6), ref: 0041EADE
                                                              • __vbaAryConstruct2.MSVBVM60(?,00409A8C,00000008,?,00000000,?,?,004037E6), ref: 0041EB10
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0041EB1F
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0041EB37
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 0041EB51
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0041EB62
                                                              • __vbaStrMove.MSVBVM60 ref: 0041EB8A
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041EBAF
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041EBD6
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041EBEA
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041EC15
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 0041EC30
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,?,004037E6), ref: 0041EC4A
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 0041EC5B
                                                              • __vbaStrMove.MSVBVM60 ref: 0041EC83
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041ECA8
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041ECCF
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041ECE3
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041ED0E
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 0041ED29
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 0041ED43
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 0041ED54
                                                              • __vbaStrMove.MSVBVM60 ref: 0041ED7C
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041EDC8
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041EDDC
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041EE07
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041EE22
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041EE3C
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041EE4D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041EE75
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041EE9A
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041EEC1
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041EED5
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041EF00
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041EF1B
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041EF35
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041EF46
                                                              • __vbaStrMove.MSVBVM60 ref: 0041EF6E
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041EF93
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041EFBA
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041EFCE
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041EFF9
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F014
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F02E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F03F
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F067
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F0B3
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F0C7
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F0F2
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F10D
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F127
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F138
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F160
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F185
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F1AC
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F1C0
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F1EB
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F206
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F220
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F231
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F259
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F27E
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F2A5
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F2B9
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F2E4
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F2FF
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F319
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F32A
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F352
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F39E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F3B2
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F3DD
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F3F8
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F412
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F423
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F44B
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F470
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F497
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F4AB
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F4D6
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F4F1
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F50B
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F51C
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F544
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F569
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F590
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F5A4
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F5CF
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F5EA
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F604
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F615
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F63D
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F689
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F69D
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F6C8
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F6E3
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F6FD
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F70E
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F736
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F75B
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F782
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F796
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F7C1
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F7DC
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F7F6
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F807
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F82F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041F854
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F87B
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F88F
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F8BA
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F8D5
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F8EF
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F900
                                                              • __vbaStrMove.MSVBVM60 ref: 0041F928
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041F974
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F988
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041F9B3
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F9CE
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041F9E8
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041F9F9
                                                              • __vbaStrMove.MSVBVM60 ref: 0041FA21
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FA46
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041FA6D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FA81
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041FAAC
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FAC7
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041FAE1
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FAF2
                                                              • __vbaStrMove.MSVBVM60 ref: 0041FB1A
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041FB3F
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041FB66
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FB7A
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041FBA5
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FBC0
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041FBDA
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FBEB
                                                              • __vbaStrMove.MSVBVM60 ref: 0041FC13
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041FC5F
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FC73
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0041FC9E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FCB9
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041FCD3
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FCE4
                                                              • __vbaStrMove.MSVBVM60 ref: 0041FD0C
                                                              • __vbaVarMove.MSVBVM60(?,?), ref: 0041FD3E
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041FD62
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FD7D
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041FD97
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FDA8
                                                              • __vbaStrMove.MSVBVM60 ref: 0041FDD0
                                                              • __vbaVarMove.MSVBVM60(?,?), ref: 0041FE05
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041FE29
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FE44
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041FE5E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FE6F
                                                              • __vbaStrMove.MSVBVM60 ref: 0041FE97
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041FEB8
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0041FEE2
                                                              • #716.MSVBVM60(00000008,00000000), ref: 0041FEF0
                                                              • __vbaObjVar.MSVBVM60(00000008), ref: 0041FEFD
                                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041FF0B
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,00000000,00000000,00000000), ref: 0041FF3D
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041FF4C
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FF64
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041FF7E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041FF8F
                                                              • __vbaStrMove.MSVBVM60 ref: 0041FFB7
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041FFD8
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 00420002
                                                              • #716.MSVBVM60(00000008,00000000), ref: 00420010
                                                              • __vbaObjVar.MSVBVM60(00000008), ref: 0042001D
                                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0042002B
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,00000000,00000000,00000000), ref: 0042005D
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042006C
                                                              • __vbaChkstk.MSVBVM60 ref: 00420092
                                                              • __vbaLateMemSt.MSVBVM60(?,Global), ref: 004200C8
                                                              • __vbaChkstk.MSVBVM60 ref: 004200EE
                                                              • __vbaLateMemSt.MSVBVM60(?,IgnoreCase), ref: 00420124
                                                              • __vbaChkstk.MSVBVM60 ref: 00420136
                                                              • __vbaLateMemSt.MSVBVM60(?,Pattern), ref: 00420160
                                                              • __vbaChkstk.MSVBVM60 ref: 00420172
                                                              • __vbaLateMemSt.MSVBVM60(?,Pattern), ref: 004201A2
                                                              • __vbaRedim.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000,00000000), ref: 004201CC
                                                              • __vbaStrCopy.MSVBVM60 ref: 004201E7
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042020D
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00420227
                                                              • __vbaStrCopy.MSVBVM60 ref: 00420238
                                                              • __vbaStrMove.MSVBVM60 ref: 00420260
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00420281
                                                              • __vbaStrCopy.MSVBVM60 ref: 00420292
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 004202AC
                                                              • __vbaStrCopy.MSVBVM60 ref: 004202BD
                                                              • __vbaStrMove.MSVBVM60 ref: 004202E5
                                                              • __vbaStrMove.MSVBVM60(00000000,?), ref: 00420306
                                                              • __vbaStrMove.MSVBVM60 ref: 00420358
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 00420366
                                                              • __vbaStrMove.MSVBVM60 ref: 00420374
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 00420387
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0042038E
                                                              • #626.MSVBVM60(?,00000008,0000000A), ref: 004203B9
                                                              • __vbaObjVar.MSVBVM60(?), ref: 004203C6
                                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004203D1
                                                              • __vbaFreeStrList.MSVBVM60(0000000D,?,?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,00000000), ref: 00420434
                                                              • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 00420454
                                                              • #598.MSVBVM60 ref: 00420464
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042047C
                                                              • __vbaLenBstr.MSVBVM60(00000000), ref: 004204A3
                                                              • __vbaVarVargNofree.MSVBVM60 ref: 004204CD
                                                              • __vbaLenVar.MSVBVM60(00000008,00000000), ref: 004204DB
                                                              • __vbaVarCmpEq.MSVBVM60(0000000A,00008002,00000000), ref: 004204F0
                                                              • __vbaVarNot.MSVBVM60(?,00000000), ref: 004204FE
                                                              • __vbaVarAnd.MSVBVM60(?,0000000B,00000000), ref: 00420513
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0042051A
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042052D
                                                              • __vbaStrCat.MSVBVM60(0040654C,00000000), ref: 00420550
                                                              • __vbaStrMove.MSVBVM60 ref: 0042055E
                                                              • __vbaVarVargNofree.MSVBVM60(00000008), ref: 00420591
                                                              • __vbaVarCat.MSVBVM60(00000008,00000000), ref: 0042059F
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004205A6
                                                              • __vbaStrMove.MSVBVM60 ref: 004205B4
                                                              • __vbaFreeVar.MSVBVM60 ref: 004205C0
                                                              • __vbaChkstk.MSVBVM60 ref: 00420627
                                                              • __vbaChkstk.MSVBVM60 ref: 00420656
                                                              • __vbaChkstk.MSVBVM60 ref: 00420685
                                                              • __vbaChkstk.MSVBVM60 ref: 004206B4
                                                              • __vbaLateMemCall.MSVBVM60(?,enumvalues,00000004), ref: 004206E9
                                                              • #560.MSVBVM60(?), ref: 00420700
                                                              • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00420723
                                                              • __vbaRefVarAry.MSVBVM60(?), ref: 00420732
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 0042073D
                                                              • __vbaRedimPreserve.MSVBVM60(00000880,00000010,?,0000000C,00000001,-00000002), ref: 00420767
                                                              • __vbaRefVarAry.MSVBVM60(?), ref: 0042077E
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00420789
                                                              • __vbaI2I4.MSVBVM60 ref: 00420791
                                                              • __vbaVarCopy.MSVBVM60 ref: 004207FC
                                                              • __vbaChkstk.MSVBVM60 ref: 00420821
                                                              • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0042085B
                                                              • __vbaVarMove.MSVBVM60 ref: 0042086C
                                                              • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0042089B
                                                              • __vbaStrCat.MSVBVM60(0040654C,?), ref: 004208D2
                                                              • __vbaChkstk.MSVBVM60 ref: 00420900
                                                              • __vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 0042093A
                                                              • __vbaChkstk.MSVBVM60 ref: 0042096E
                                                              • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 004209AD
                                                              • __vbaChkstk.MSVBVM60 ref: 004209BA
                                                              • __vbaChkstk.MSVBVM60 ref: 004209DC
                                                              • __vbaChkstk.MSVBVM60 ref: 00420A0B
                                                              • __vbaLateMemCall.MSVBVM60(?,getstringvalue,00000004), ref: 00420A40
                                                              • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 00420A60
                                                              • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 00420A97
                                                              • __vbaStrCat.MSVBVM60(0040654C,?), ref: 00420ACE
                                                              • __vbaChkstk.MSVBVM60 ref: 00420AFC
                                                              • __vbaVarIndexLoadRef.MSVBVM60(?,?,00000001), ref: 00420B36
                                                              • __vbaChkstk.MSVBVM60 ref: 00420B6A
                                                              • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 00420BA9
                                                              • __vbaChkstk.MSVBVM60 ref: 00420BB6
                                                              • __vbaChkstk.MSVBVM60 ref: 00420BD8
                                                              • __vbaChkstk.MSVBVM60 ref: 00420C07
                                                              • __vbaStrCat.MSVBVM60(0040654C,?), ref: 00421F52
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00421FAC
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00421FC9
                                                              • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 00421FEA
                                                              • __vbaChkstk.MSVBVM60 ref: 00421FF7
                                                              • __vbaVarLateMemSt.MSVBVM60(?,firefliesPHYhoSnuWsSVdMViTUZvbdUOqCZaVdKywDwYfluxible), ref: 00422029
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0042203F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004220A6
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004220C3
                                                              • __vbaChkstk.MSVBVM60 ref: 004220D4
                                                              • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001), ref: 0042210E
                                                              • __vbaChkstk.MSVBVM60 ref: 0042211E
                                                              • __vbaVarLateMemSt.MSVBVM60(?,fluskNlyaFwnjIJJXXfirefighting), ref: 00422150
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042215C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004221C1
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004221DE
                                                              • __vbaVarCat.MSVBVM60(00000008,00000008,?), ref: 004221FF
                                                              • __vbaChkstk.MSVBVM60 ref: 0042220C
                                                              • __vbaVarLateMemSt.MSVBVM60(?,fishpoolBLQUTBKpNTsWwcMxVTZuJsophistic), ref: 0042223E
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042224A
                                                              • __vbaVarTstEq.MSVBVM60(00000001,?), ref: 00422285
                                                              • __vbaStrCopy.MSVBVM60 ref: 004222A9
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004222C3
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422300
                                                              • __vbaStrMove.MSVBVM60 ref: 00422328
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000001), ref: 00422351
                                                              • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 0042235A
                                                              • __vbaChkstk.MSVBVM60(?,00000001), ref: 00422375
                                                              • __vbaLateMemCallLd.MSVBVM60(00000008,?,test,00000001,?,00000001), ref: 004223B4
                                                              • __vbaChkstk.MSVBVM60(00000000), ref: 004223C3
                                                              • __vbaLateMemCallLd.MSVBVM60(0000000A,?,test,00000001,00000000), ref: 00422402
                                                              • __vbaVarOr.MSVBVM60(?,00000000), ref: 00422413
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00422428
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0042242F
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 00422461
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 0042247A
                                                              • __vbaChkstk.MSVBVM60(00000008), ref: 004224F6
                                                              • __vbaVarIndexLoad.MSVBVM60(00000008,?,00000001,00000008), ref: 00422530
                                                              • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 00422541
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00422556
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0042256B
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00422580
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00422587
                                                              • __vbaStrMove.MSVBVM60 ref: 00422594
                                                              • __vbaFreeVarList.MSVBVM60(00000005,00000008,0000000A,?,?,?), ref: 004225BF
                                                              • __vbaStrCopy.MSVBVM60 ref: 004225DA
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004225F4
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422605
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0042261F
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422643
                                                              • __vbaStrMove.MSVBVM60 ref: 0042266B
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 0042269F
                                                              • __vbaStrMove.MSVBVM60 ref: 004226C7
                                                              • __vbaStrMove.MSVBVM60(00000000,00000000,?,00000001), ref: 004226F0
                                                              • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 004226F9
                                                              • __vbaChkstk.MSVBVM60(00000001,?,00000001), ref: 00422716
                                                              • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,00000001,?,00000001), ref: 00422750
                                                              • __vbaInStrVar.MSVBVM60(?,00000000,00000008,00000000), ref: 0042276A
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0042277F
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00422786
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 004227D4
                                                              • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,?), ref: 004227F4
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042281E
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00422838
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422849
                                                              • __vbaStrMove.MSVBVM60 ref: 00422871
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00422899
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004228A0
                                                              • __vbaStrMove.MSVBVM60 ref: 004228AE
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 004228BA
                                                              • __vbaStrMove.MSVBVM60 ref: 004228C8
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 004228D4
                                                              • __vbaStrMove.MSVBVM60 ref: 004228E2
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 004228EE
                                                              • __vbaStrMove.MSVBVM60 ref: 004228FB
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,00000000,00000000,00000000,?,00000000), ref: 0042293B
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422956
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00422970
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422981
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0042299B
                                                              • __vbaStrCopy.MSVBVM60 ref: 004229BF
                                                              • __vbaStrMove.MSVBVM60 ref: 004229E7
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00422A1B
                                                              • __vbaStrMove.MSVBVM60 ref: 00422A43
                                                              • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 00422A6C
                                                              • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00422A75
                                                              • __vbaChkstk.MSVBVM60 ref: 00422A90
                                                              • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 00422ACA
                                                              • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 00422AE2
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00422AF7
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00422AFE
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00422B4C
                                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 00422B65
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 00422BC7
                                                              • __vbaChkstk.MSVBVM60(00000008), ref: 00422BFD
                                                              • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008), ref: 00422C37
                                                              • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 00422C48
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00422C5D
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00422C72
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00422C87
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00422C8E
                                                              • __vbaStrMove.MSVBVM60 ref: 00422C9B
                                                              • __vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 00422CCD
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422CE8
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00422D02
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422D13
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 00422D2D
                                                              • __vbaStrCopy.MSVBVM60 ref: 00422D51
                                                              • __vbaStrMove.MSVBVM60 ref: 00422D79
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00422DAD
                                                              • __vbaStrMove.MSVBVM60 ref: 00422DD5
                                                              • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 00422DFE
                                                              • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00422E07
                                                              • __vbaChkstk.MSVBVM60 ref: 00422E22
                                                              • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 00422E5C
                                                              • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 00422E74
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00422E89
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00422E90
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00422EDE
                                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 00422EF7
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 00422F59
                                                              • __vbaChkstk.MSVBVM60(00000008), ref: 00422F8F
                                                              • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008), ref: 00422FC9
                                                              • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 00422FDA
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00422FEF
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00423004
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00423019
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00423020
                                                              • __vbaStrMove.MSVBVM60 ref: 0042302D
                                                              • __vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 0042305F
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042307A
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00423094
                                                              • __vbaStrCopy.MSVBVM60 ref: 004230A5
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 004230BF
                                                              • __vbaStrCopy.MSVBVM60 ref: 004230E3
                                                              • __vbaStrMove.MSVBVM60 ref: 0042310B
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 0042313F
                                                              • __vbaStrMove.MSVBVM60 ref: 00423167
                                                              • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,00000001), ref: 00423190
                                                              • __vbaInStr.MSVBVM60(00000000,00000000), ref: 00423199
                                                              • __vbaChkstk.MSVBVM60 ref: 004231B4
                                                              • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001), ref: 004231EE
                                                              • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 00423206
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 0042321B
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00423222
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 00423270
                                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 00423289
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 004232EB
                                                              • __vbaStrMove.MSVBVM60 ref: 004232F9
                                                                • Part of subcall function 00438660: __vbaLenBstr.MSVBVM60(00000000,`,@,00000000,6D41D8B1), ref: 004386A9
                                                                • Part of subcall function 00438660: __vbaLenBstr.MSVBVM60 ref: 004386B7
                                                                • Part of subcall function 00438660: __vbaFpI4.MSVBVM60 ref: 004386F1
                                                                • Part of subcall function 00438660: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 00438711
                                                                • Part of subcall function 00438660: __vbaUbound.MSVBVM60(00000001,?), ref: 00438720
                                                                • Part of subcall function 00438660: __vbaGenerateBoundsError.MSVBVM60 ref: 00438760
                                                                • Part of subcall function 00438660: #631.MSVBVM60(?,?,?,0040C894), ref: 00438794
                                                                • Part of subcall function 00438660: __vbaStrMove.MSVBVM60 ref: 0043879F
                                                                • Part of subcall function 00438660: __vbaStrCat.MSVBVM60(00000000), ref: 004387A2
                                                                • Part of subcall function 00438660: __vbaStrMove.MSVBVM60 ref: 004387AD
                                                              • __vbaAryMove.MSVBVM60(?,?,?), ref: 0042331F
                                                                • Part of subcall function 004248A0: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 004248BE
                                                                • Part of subcall function 004248A0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 004248EE
                                                                • Part of subcall function 004248A0: #716.MSVBVM60(?,System.Security.Cryptography.RijndaelManaged,00000000,?,00000000,?,00000000,004037E6), ref: 0042490D
                                                                • Part of subcall function 004248A0: __vbaVarSetVar.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0042491B
                                                                • Part of subcall function 004248A0: __vbaChkstk.MSVBVM60 ref: 0042493E
                                                                • Part of subcall function 004248A0: __vbaVarLateMemSt.MSVBVM60(?,keySize), ref: 00424968
                                                                • Part of subcall function 004248A0: __vbaChkstk.MSVBVM60 ref: 0042498B
                                                                • Part of subcall function 004248A0: __vbaVarLateMemSt.MSVBVM60(?,Padding), ref: 004249B5
                                                                • Part of subcall function 004248A0: __vbaChkstk.MSVBVM60 ref: 004249D8
                                                                • Part of subcall function 004248A0: __vbaVarLateMemSt.MSVBVM60(?,Mode), ref: 00424A02
                                                                • Part of subcall function 004248A0: __vbaStrCopy.MSVBVM60 ref: 00424A17
                                                                • Part of subcall function 004248A0: __vbaStrMove.MSVBVM60(?), ref: 00424A2B
                                                                • Part of subcall function 004248A0: __vbaStrCopy.MSVBVM60 ref: 00424A39
                                                              • __vbaChkstk.MSVBVM60(00000008,?), ref: 00423361
                                                              • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008,?), ref: 0042339B
                                                              • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 004233AC
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004233C1
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004233D6
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 004233EB
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004233F2
                                                              • __vbaStrMove.MSVBVM60 ref: 004233FF
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042340B
                                                              • __vbaFreeVarList.MSVBVM60(00000006,00008008,0000000A,?,00000008,?,?), ref: 0042343D
                                                              • __vbaErase.MSVBVM60(00000000,?), ref: 0042344F
                                                              • __vbaStrCopy.MSVBVM60 ref: 00423467
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00423481
                                                              • __vbaStrCopy.MSVBVM60 ref: 00423492
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 004234AC
                                                              • __vbaStrCopy.MSVBVM60 ref: 004234D0
                                                              • __vbaStrMove.MSVBVM60 ref: 004234F8
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 0042352C
                                                              • __vbaStrMove.MSVBVM60 ref: 00423554
                                                              • __vbaStrMove.MSVBVM60(00000000,00000000,?,00000001), ref: 0042357D
                                                              • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001), ref: 00423586
                                                              • __vbaChkstk.MSVBVM60(?,00000001), ref: 004235A1
                                                              • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,?,00000001), ref: 004235DB
                                                              • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 004235F3
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00423608
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 0042360F
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,00000000,00000000,00000000,?,00000000,00000000), ref: 0042365D
                                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 00423676
                                                              • __vbaStrCopy.MSVBVM60 ref: 004236A0
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004236BA
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 00423703
                                                              • __vbaStrCopy.MSVBVM60 ref: 00423738
                                                              • __vbaStrMove.MSVBVM60 ref: 00423760
                                                              • __vbaChkstk.MSVBVM60(00000008,?,?), ref: 004237A9
                                                              • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,00000008,?,?), ref: 004237E3
                                                              • __vbaVarAdd.MSVBVM60(0000000A,00000000), ref: 004237F4
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00423809
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0042381E
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00423833
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 00423848
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0042385D
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00423864
                                                              • __vbaStrMove.MSVBVM60 ref: 00423871
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 00423895
                                                              • __vbaFreeVarList.MSVBVM60(00000009,00008008,0000000A,?,00000008,?,?,00000008,?,?), ref: 004238DF
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 004238FA
                                                              • __vbaStrMove.MSVBVM60 ref: 00423908
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 00423914
                                                              • __vbaStrMove.MSVBVM60 ref: 00423921
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042392D
                                                              • __vbaInStr.MSVBVM60(00000000,WinSCP 2,00000000,00000001), ref: 00423970
                                                              • __vbaChkstk.MSVBVM60 ref: 0042398B
                                                              • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001), ref: 004239C5
                                                              • __vbaVarCmpEq.MSVBVM60(0000000A,00008008,00000000), ref: 004239DD
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 004239F2
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 004239F9
                                                              • __vbaFreeVar.MSVBVM60 ref: 00423A0C
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 00423A2B
                                                              • __vbaStrMove.MSVBVM60 ref: 00423A36
                                                              • __vbaInStr.MSVBVM60(00000000,WinSCP 2,?,00000001), ref: 00423A79
                                                              • __vbaChkstk.MSVBVM60(?,00000001), ref: 00423A94
                                                              • __vbaVarIndexLoad.MSVBVM60(00008008,?,00000001,?,00000001), ref: 00423ACE
                                                              • __vbaVarCmpEq.MSVBVM60(0000000A,00008008,00000000), ref: 00423AE6
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00423AFB
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00423B02
                                                              • __vbaFreeVar.MSVBVM60 ref: 00423B15
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 00423B34
                                                              • __vbaStrMove.MSVBVM60 ref: 00423B3F
                                                              • __vbaStrCopy.MSVBVM60 ref: 00423B57
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00423B71
                                                              • __vbaStrCopy.MSVBVM60 ref: 00423B95
                                                              • __vbaStrMove.MSVBVM60 ref: 00423BBD
                                                              • __vbaInStr.MSVBVM60(00000000,WinSCP 2,?,00000001,?,?), ref: 00423BF5
                                                              • __vbaChkstk.MSVBVM60(?,00000001,?,?), ref: 00423C10
                                                              • __vbaVarIndexLoad.MSVBVM60(0000000A,?,00000001,?,00000001,?,?), ref: 00423C4A
                                                              • __vbaVarCmpEq.MSVBVM60(?,00008008,00000000), ref: 00423C62
                                                              • __vbaVarAnd.MSVBVM60(?,00000003,00000000), ref: 00423C77
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00423C7E
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 00423CA9
                                                              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,00008008), ref: 00423CC2
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 00423CE8
                                                              • __vbaStrMove.MSVBVM60 ref: 00423CF3
                                                              • __vbaStrCat.MSVBVM60(Url: ,00000000), ref: 00423D0C
                                                              • __vbaStrMove.MSVBVM60 ref: 00423D1A
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 00423D25
                                                              • __vbaStrMove.MSVBVM60 ref: 00423D33
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 00423D3F
                                                              • __vbaStrMove.MSVBVM60 ref: 00423D4C
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00423D62
                                                              • __vbaStrCat.MSVBVM60(Username: ,00000000), ref: 00423D7D
                                                              • __vbaStrMove.MSVBVM60 ref: 00423D8B
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 00423D96
                                                              • __vbaStrMove.MSVBVM60 ref: 00423DA4
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 00423DB0
                                                              • __vbaStrMove.MSVBVM60 ref: 00423DBD
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00423DD3
                                                              • __vbaStrCat.MSVBVM60(Password: ,00000000), ref: 00423DEF
                                                              • __vbaStrMove.MSVBVM60 ref: 00423DFD
                                                                • Part of subcall function 00424EA0: __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,?,?,00000000), ref: 00424EBE
                                                                • Part of subcall function 00424EA0: __vbaOnError.MSVBVM60(000000FF,00401F08,-00000001,6D4EEC2C,00000000,004037E6), ref: 00424EEE
                                                                • Part of subcall function 00424EA0: __vbaStrCat.MSVBVM60(00000000), ref: 00424F0E
                                                                • Part of subcall function 00424EA0: __vbaVarMove.MSVBVM60 ref: 00424F2D
                                                                • Part of subcall function 00424EA0: __vbaLenBstr.MSVBVM60 ref: 00424F40
                                                                • Part of subcall function 00424EA0: __vbaStrCat.MSVBVM60(00409C14,?), ref: 00424FB0
                                                                • Part of subcall function 00424EA0: __vbaStrMove.MSVBVM60 ref: 00424FBE
                                                                • Part of subcall function 00424EA0: #631.MSVBVM60(00000002,-00000001,00000002,00000000), ref: 00424FDF
                                                                • Part of subcall function 00424EA0: __vbaStrMove.MSVBVM60 ref: 00424FED
                                                                • Part of subcall function 00424EA0: __vbaStrCat.MSVBVM60(00000000), ref: 00424FF4
                                                                • Part of subcall function 00424EA0: __vbaStrMove.MSVBVM60 ref: 00425002
                                                                • Part of subcall function 00424EA0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00425018
                                                                • Part of subcall function 00424EA0: __vbaFreeVar.MSVBVM60 ref: 00425027
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00423E1D
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00423E24
                                                              • __vbaStrMove.MSVBVM60 ref: 00423E32
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 00423E3E
                                                              • __vbaStrMove.MSVBVM60 ref: 00423E4B
                                                              • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 00423E68
                                                              • __vbaStrCat.MSVBVM60(Application: WinSCP,00000000), ref: 00423E84
                                                              • __vbaStrMove.MSVBVM60 ref: 00423E92
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 00423E9E
                                                              • __vbaStrMove.MSVBVM60 ref: 00423EAB
                                                              • __vbaFreeStr.MSVBVM60 ref: 00423EB7
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 00423ECF
                                                              • __vbaStrMove.MSVBVM60 ref: 00423EDD
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 00423EE9
                                                              • __vbaStrMove.MSVBVM60 ref: 00423EF6
                                                              • __vbaFreeStr.MSVBVM60 ref: 00423F02
                                                              • __vbaStrCat.MSVBVM60(0040654C,?), ref: 00423F3F
                                                              • __vbaChkstk.MSVBVM60 ref: 00423F9A
                                                              • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 00423FD9
                                                              • __vbaChkstk.MSVBVM60 ref: 00423FE6
                                                              • __vbaChkstk.MSVBVM60 ref: 00424008
                                                              • __vbaChkstk.MSVBVM60 ref: 00424037
                                                              • __vbaChkstk.MSVBVM60 ref: 00424066
                                                              • __vbaLateMemCall.MSVBVM60(?,getstringvalue,00000005), ref: 0042409B
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 004240B4
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 004240CD
                                                              • __vbaRedimPreserve.MSVBVM60(00000880,00000010,?,0000000C,00000001,00000000,00000000), ref: 004240F7
                                                              • __vbaStrCat.MSVBVM60(0040654C,?), ref: 00424113
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042416D
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042418A
                                                              • __vbaVarCat.MSVBVM60(0000000A,?,00000008), ref: 004241AB
                                                              • __vbaChkstk.MSVBVM60 ref: 004241B8
                                                              • __vbaVarLateMemSt.MSVBVM60(?,firefliesPHYhoSnuWsSVdMViTUZvbdUOqCZaVdKywDwYfluxible), ref: 004241EA
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,0000000A), ref: 00424200
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042421B
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00424235
                                                              • __vbaStrCopy.MSVBVM60 ref: 00424246
                                                              • __vbaStrMove.MSVBVM60 ref: 0042426E
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?), ref: 004242DB
                                                              • __vbaChkstk.MSVBVM60 ref: 00424309
                                                              • __vbaVarLateMemSt.MSVBVM60(?,fluskNlyaFwnjIJJXXfirefighting), ref: 00424348
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0042436C
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042437B
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004243E0
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004243FD
                                                              • __vbaVarCat.MSVBVM60(00000008,00000008,?), ref: 0042441E
                                                              • __vbaChkstk.MSVBVM60 ref: 0042442B
                                                              • __vbaVarLateMemSt.MSVBVM60(?,fishpoolBLQUTBKpNTsWwcMxVTZuJsophistic), ref: 0042445D
                                                              • __vbaFreeVar.MSVBVM60 ref: 00424469
                                                              • __vbaChkstk.MSVBVM60 ref: 004244D0
                                                              • __vbaChkstk.MSVBVM60 ref: 004244FF
                                                              • __vbaChkstk.MSVBVM60 ref: 0042452E
                                                              • __vbaLateMemCall.MSVBVM60(?,EnumKey,00000003), ref: 00424563
                                                              • #560.MSVBVM60(?), ref: 0042457A
                                                              • __vbaForEachVar.MSVBVM60(?,?,?,?,?,?), ref: 004245BC
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 004245F0
                                                              • __vbaFreeStr.MSVBVM60 ref: 004245FC
                                                              • __vbaNextEachVar.MSVBVM60(?,?,?,?,?), ref: 0042462C
                                                              • __vbaAryUnlock.MSVBVM60(?,0042487A), ref: 00424726
                                                              • __vbaFreeObj.MSVBVM60 ref: 00424732
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042473E
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042474D
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042475C
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042476B
                                                              • __vbaFreeVar.MSVBVM60 ref: 00424774
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042477D
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 00424893
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Copy$Free$List$Chkstk$Error$BoundsGenerate$Late$IndexLoad$BoolNull$Bstr$Call$Ubound$#631Redim$#716AddrefDestruct$#516#560EachNofreePreserveVarg$#537#598#608#626#632Construct2EraseNextOverflowUnlock
                                                              • String ID: 010702324B180C153128316F161609$032327527904163C3F7138151431$0408393443021F0C23$053E0E0D15061317240D33272D76321605081215121E293D$07183735$0F293916383A01154A3E2A0E301F08$0F3D351104090C2E44053A123F73060F0500$10212637420324263A$13242E0A70303C33174D362E0931$140B085552260C31131713$153D3B04080C19200F1F2B52591E333B3E1C1A1F$160D161C211D12386A22102A1F0D1C32350613012F0E0A341430150A76393409221D1B012F3B1C1708673D38$1735001D$182C191E2B3833385218353A3F0D31$19371A3C0E0503333E05177C7804052202203617$1A7178497D0F4C09674467360B4C38264313545F4C5D1A19721B466E080278322C62375A4C7B3A35284908345D1F74747E45180E480966362E4010206F3D333256$1C6D32135A221B4212776F4E30126F19472F5C711A4713266F0D2E631875444B28047733661A695E33606A1E085F0D197735153C705B5A336B61$1E013150591A310D38$1F34052F20$213B3103$23053D24771B160022573C253F0A$240400095A1B1C2110103E$2405$261002033A29381201$271E1A1748213E130F3B4D3806263C14311D$3338103F15300A$381B20262207052D$39061D3A5A113A220F076D24350B10341A20$3A2C2B1D5A0209060E1D13$3C012001733701302659022A3810$3D2A1F3454322D3A3E2314$3E0D251B773102302A$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$===============DARKCLOUD===============$Application: WinSCP$BNNacyOBhJcvCt$DpHitWNeePwrDRonNKCdLQqETBVYABxSBIRJyNQjUW$EDYGhGScUHmOmjaBgnIdrup$EnumKey$EvYqKWdqUXCHfgJtLYuROTJiyPfGbLUNB$FXGjPgfbGWjy$FadxqFpfKPYyGohnAZhru$FiTBwFbXNbNSTsWcxtNhIBCDsQHCSnHGG$FkyaqUZWtuKyZfiCMskkJZj$GetDWORDValue$GetExpandedStringValue$GetMultiStringValue$Global$GrOtQSbrUTyLKUuphlIdFRkHCrVXvwEnS$H^@$H^@$HostName$IgnoreCase$KTMKhaoxTfpEhyQFORsutmDI$KYLabaZwrBlF$LZioZPeOVemxOdTeHGjEYr$NBEirwXZoHGBwo$PISVbkKigGMCOCDExvsXibxfFlTmrUuoEqOtUKcFnOxJ$PZYdFLHNGFvrtgJnNKcjijLfUOVSObMP$Password: $Pattern$RGiaAIheBdPIwMSHnheQBwv$UPxMNfYZTrKPHIhCCVRsGl$UpFpVIFtGPDIHBtvSHWjBYgnBzrGQQbUo$Url: $UserName$Username: $WinSCP 2$XWEmdcWliQJjdenAiXxLtWTPwlRFkBt$YYlggbVWCHLKOwWDfcLIFwhLJKgOPOQjtMgYbcIlY$ZwHIjzTWCfkMeQobQiSPAvux$aSlwaYQeYMQvtyTGPvTwdMPoZTUIfbk$asajMzQltxxa$ehzSUUhwIjNxsWiEgGwbmhvDCSNBYKdrwQxdQriprs$enumvalues$firefliesPHYhoSnuWsSVdMViTUZvbdUOqCZaVdKywDwYfluxible$fishpoolBLQUTBKpNTsWwcMxVTZuJsophistic$fluskNlyaFwnjIJJXXfirefighting$fngKdtaHHHFfSzPvwpWHhu$getbinaryvalue$getstringvalue$hDDXfruiCerafpliDpqMyXvBmFQEvlQjf$ltRKOZEavyZoiOXpNpFRUTiGyGOwinRDq$oRkRGuihrxx$rpwBzSdZgWgm$rtSNGhdSrfWmybBNqBnkqP$test$xYkjuJSqadlOiugxfIpzKjgZDTFoNnCnHmZfTGXcMp$yGZriDwCiXnpuVMgzpOFIrqgLqgQBDJDvQ$yjJTYzHySfuLVVqlNscVokDKqkxAGwGEb$~
                                                              • API String ID: 3462107310-1806977795
                                                              • Opcode ID: 9fe5a4698f3bf7d9439587ac9e219babcde778258137a3f952d4622600a5ab8f
                                                              • Instruction ID: 9b11cd6151430d2ab2bc3564aa17844d51d700f8e2ddd7d7510ea713b71181e0
                                                              • Opcode Fuzzy Hash: 9fe5a4698f3bf7d9439587ac9e219babcde778258137a3f952d4622600a5ab8f
                                                              • Instruction Fuzzy Hash: 49C3D5B59002189BDB65DF54CD88BDEB7B4FB48304F1082EAE50AA7260DB745BC9CF94
                                                              Function 00416AF0 Relevance: 1214.2, APIs: 621, Strings: 70, Instructions: 4925COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00416B0E
                                                              • __vbaAryConstruct2.MSVBVM60(?,004085B0,00000008,?,00000000,?,00000000,004037E6), ref: 00416B40
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 00416B4F
                                                              • __vbaUbound.MSVBVM60(00000001,00759BB8,?,00000000,?,00000000,004037E6), ref: 00416B65
                                                              • __vbaI2I4.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 00416B6D
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00416C1A
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00416C37
                                                              • __vbaStrCat.MSVBVM60(0040654C,00759BB8), ref: 00416C5B
                                                              • __vbaStrMove.MSVBVM60 ref: 00416C69
                                                              • __vbaAryMove.MSVBVM60(00447068,?,?,00447064), ref: 00416C92
                                                              • __vbaFreeStr.MSVBVM60 ref: 00416C9E
                                                              • __vbaUbound.MSVBVM60(00000001,0077B5B8), ref: 00416CC9
                                                              • __vbaI2I4.MSVBVM60 ref: 00416CD1
                                                              • __vbaStrCopy.MSVBVM60 ref: 00416D32
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00416D4C
                                                              • __vbaStrCopy.MSVBVM60 ref: 00416D5D
                                                              • __vbaStrMove.MSVBVM60 ref: 00416D85
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00416DA6
                                                              • __vbaStrMove.MSVBVM60(0077B5B8), ref: 00416E51
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00416E58
                                                              • __vbaUbound.MSVBVM60(00000001,00759B58), ref: 00419388
                                                              • __vbaI2I4.MSVBVM60 ref: 00419390
                                                              • __vbaStrCat.MSVBVM60(0040654C,00759B58), ref: 0041947E
                                                              • __vbaStrMove.MSVBVM60 ref: 0041948C
                                                              • __vbaAryMove.MSVBVM60(00447068,?,?,00447064), ref: 004194B5
                                                              • __vbaFreeStr.MSVBVM60 ref: 004194C1
                                                              • __vbaUbound.MSVBVM60(00000001,0077B5B8), ref: 004194EC
                                                              • __vbaI2I4.MSVBVM60 ref: 004194F4
                                                              • __vbaStrCopy.MSVBVM60 ref: 00419554
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041956E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041957F
                                                              • __vbaStrMove.MSVBVM60 ref: 004195A7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$CopyUbound$Error$BoundsFreeGenerate$ChkstkConstruct2
                                                              • String ID: 0221241430103F2002232B06$023D331B3E1B2903$10093F1119043B092A292B39243E005A023C1C2D1C3A1D1F31300B3D26194C4438192E232407153C3D$142B311E0F343334152327113104342B311E2402283F2D01390163251318141F0A27243F3D382B003002282A0B3D113B253E3E1D6E3F261834253003163261023C$1E160D1207173F34143B0810131739010436291D0720083C2E16770214293D03231B231E4B3505143E283B02041E3D283801042B192F1D1255606E501409376A7A$222328233A2E100708280E320F103E2B0B0E003027123A0A3E0B18382B24$2236351B002F261C537950$243D2A2107613B2337080D32$25290B2B062C6B322B2E17$34292413260A23060E293825222A0206022C0D290B292C152A0469617461041C12322E083E000D33200B372F3C2002352B2D250A02202E2A766B6F6119171E6353$3705342300132B1E3A23046652632C1B132024153A$3E0E32262506000E6C4954$3E3D033E0D1226153B0F1C102C03552C083531$3F2A34152634232730143B371A2B1E1A230C351531350526373D60637F7230162720042B021E19281B35313A0020213D1E20252E0336390851775A40063E2F6A63$4C4C1928232638011512342818063C4E762C3B0F1907300E064D1078243003072C$566A2B221A320202232130260F2134696D29372200152C1F10541A763039280515$60013023$8pD$8pD$8pD$8pD$8pD$8pD$<pD$===============DARKCLOUD===============$@pD$@pD$@pD$@pD$@pD$@pD$@pD$@pD$DC-Creds$DpD$DpD$DpD$DpD$DpD$DpD$DpD$DpD$DpD$DpD$DpD$DpD$EvuDOipJjSLjFhCbtaDrEtSypVlGwhYsw$NordVPN$PbyfXlgJagCswEmuhiAPJHhUGCIcpdx$Profiles$QccjMWRQorItFykYsQyHjki$SWnvIpZdFdhunnluRjUtswWjvfDCUvPKbrjsSMMOGChj$SgFBgQkQcRdQFPEqidXQfmOEvOXXTZQX$SlERaQUQBlYRThDmuExiZW$SxHYDuOXLYndUhPErdBpMBDjmOKmUEoJgtBpIVQeBTD$UnoAURirjLstwbtIVegZrKVdeQLzDpJt$XqLNWMObbTnZb$ZyEXGnFklDzpHnLQTJyVQsbCmtsGYFXDppRcPnWbgIM$\Default$\Profiles$\User Data$\User Data\Default\Login Data$dAniDeDzrLbfCnmoSWCNNMYg$jNuHWFSDAlsjqPJuIkybOjYMzMocaYBOQWRxaRTpRDs$kGDWjxUAQInNrC$nyedLoBKvJZvaTSSYsqRgTdUitaYDyjtN$qCfYeneIlvdJKPWnzRNuFnC$r$rMykfpvMQHvasaxJnbBuJnNlSYeWOqZNbD$ywEPinNKysCpaeMSnVLMtB
                                                              • API String ID: 410742324-2198507695
                                                              • Opcode ID: 2df6720cf20ba0fa3c219bd4a2a3f490f468bf5dcc78a3df4e946e7eb9193051
                                                              • Instruction ID: 92f97bf56c79edfafe4cb716b4506a6d8cdbb554ff9bb2d3cad2542df18d4fac
                                                              • Opcode Fuzzy Hash: 2df6720cf20ba0fa3c219bd4a2a3f490f468bf5dcc78a3df4e946e7eb9193051
                                                              • Instruction Fuzzy Hash: 9DC33874901218DFDB24DF60DD88BDAB7B5FB49300F1081EAE50AA72A0DB745AC9CF59
                                                              Function 00412580 Relevance: 943.9, APIs: 507, Strings: 30, Instructions: 4112COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6), ref: 0041259E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004037E6), ref: 004125E3
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,004037E6), ref: 004125FB
                                                              • __vbaSetSystemError.MSVBVM60(?,?,?,?,004037E6), ref: 00412613
                                                              • __vbaSetSystemError.MSVBVM60(0001010A,?,?,?,?,004037E6), ref: 0041263E
                                                              • #537.MSVBVM60(00000000,?,?,?,?,004037E6), ref: 00412658
                                                              • #607.MSVBVM60(?,0000000F,00000008), ref: 00412677
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00412681
                                                              • __vbaStrMove.MSVBVM60 ref: 0041268E
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041269E
                                                              • __vbaStrToAnsi.MSVBVM60(?,00802A84,0000000E,?,?,004037E6), ref: 004126C9
                                                              • __vbaSetSystemError.MSVBVM60(0001010A,00000000,?,?,004037E6), ref: 004126DC
                                                              • __vbaStrToUnicode.MSVBVM60(00447088,?,?,?,004037E6), ref: 004126EB
                                                              • __vbaFreeStr.MSVBVM60(?,?,004037E6), ref: 004126F4
                                                              • __vbaStrCmp.MSVBVM60(008030B4,00802A84,?,?,004037E6), ref: 0041270E
                                                              • __vbaStrCmp.MSVBVM60(00405E48,008030B4,?,?,004037E6), ref: 00412727
                                                              • __vbaStrCat.MSVBVM60(00405C14,0081C8FC,?,?,004037E6), ref: 0041274E
                                                              • __vbaStrMove.MSVBVM60(?,?,004037E6), ref: 00412759
                                                              • __vbaStrCat.MSVBVM60(00406334,00000000,?,?,004037E6), ref: 00412765
                                                              • #612.MSVBVM60(?), ref: 00412779
                                                              • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 004127F1
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00412806
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041281B
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00412830
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00412845
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0041285A
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00412861
                                                              • __vbaStrMove.MSVBVM60 ref: 0041286E
                                                              • __vbaFreeStr.MSVBVM60 ref: 00412877
                                                              • __vbaFreeVarList.MSVBVM60(00000008,00000008,?,?,?,?,?,?,?), ref: 004128AE
                                                              • __vbaSetSystemError.MSVBVM60(00000008,?,?,004037E6), ref: 004128CC
                                                              • __vbaLenBstr.MSVBVM60(0081C8FC), ref: 004128EA
                                                              • #616.MSVBVM60(0081C8FC,-00000001), ref: 00412901
                                                              • __vbaStrMove.MSVBVM60 ref: 0041290E
                                                              • __vbaSetSystemError.MSVBVM60(0000000D), ref: 00412929
                                                              • __vbaStrCat.MSVBVM60(00405C14,0081C8FC), ref: 0041294D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041295A
                                                              • __vbaSetSystemError.MSVBVM60(00000020), ref: 00412975
                                                              • __vbaStrCat.MSVBVM60(0040635C,0081C8FC), ref: 00412998
                                                              • __vbaStrMove.MSVBVM60 ref: 004129A5
                                                              • __vbaSetSystemError.MSVBVM60(00000010), ref: 004129C0
                                                              • __vbaSetSystemError.MSVBVM60(00000011), ref: 004129F6
                                                              • __vbaStrCopy.MSVBVM60 ref: 00412A1A
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00412A2E
                                                              • __vbaStrCopy.MSVBVM60 ref: 00412A3C
                                                              • __vbaStrMove.MSVBVM60 ref: 00412A5B
                                                              • __vbaStrMove.MSVBVM60(?,?,0081C8FC), ref: 00412A79
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00412A80
                                                              • __vbaStrMove.MSVBVM60 ref: 00412A8D
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00412AA9
                                                              • __vbaSetSystemError.MSVBVM60(00000014), ref: 00412AC7
                                                              • __vbaSetSystemError.MSVBVM60(000000DF), ref: 00412B75
                                                              • #608.MSVBVM60(?,000000DF), ref: 00412BCC
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 00412BE1
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00412BE8
                                                              • __vbaStrMove.MSVBVM60 ref: 00412BF5
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00412C05
                                                              • __vbaErrorOverflow.MSVBVM60(?,?,004037E6), ref: 00413910
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0041393E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6), ref: 0041397A
                                                              • __vbaStrCmp.MSVBVM60(00405E48,?,?,?,?,00000000,004037E6), ref: 00413992
                                                              • __vbaFreeVar.MSVBVM60(00416AC7), ref: 00416A9C
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AA5
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AAE
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AB7
                                                              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AC0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Error$Free$System$List$Copy$Chkstk$#537#607#608#612#616AnsiBstrOverflowUnicode
                                                              • String ID: 06293902170A3C0D000B2920052114082B1D1520223A011F132E1C013C5A5B66667B6F33197660345C$077E153B3242473A737A51066C1A23672520451D377822256A2A3F0E60605D6A6233604B$08621D5C5D4B112D2C0256774813462C3D69173A7F0C376B071D5F2A320A60542755$0F293916383A01154A3E2A0E301F08$124F2F7B43122318780720481E2255092547142A7902437D551F18745E685F422B4C283C606E2025052F081D24132E0B116F45724D151F0868340B770064754B0D$1706420D0A665C4635203946320B601817590C58676560161F59561432370F0D6C3201770F3D5B1D4444456C15227E5D1746157F370F0D6C3201770F3D5B1D4444$1A4C7B016F3C422C027D6B7300773F32642311085B743E60$2B073502$383922175F341811773E2E581C23431226440D20770F72585F3F15685A4570432771$9$CDdKyFGsQYMFJaZYsIeLsoD$Global$IgnoreCase$JpIysUmbfLRtYKxbMxdIJvq$MXnbCUIxHFLaiOjXEeREqpiUJEyDXfhhRS$Pattern$RVVFlprPoqYgZqRkdwDYj$UCtIUHakhvnciXhfbEdrHaeEsUGFFwr$UpFpVIFtGPDIHBtvSHWjBYgnBzrGQQbUo$YKdjoiNlnnAZkZaMvgtvhUH$Z$acNClbkqOYYGrcBRrvyXoSGuCFoZlzXiyxXGWcMWns$f$o$qLgtJpOxyUlMedcxAojZzTXrPlBcFkDlvVeTbHFBL$qYVNIokoaBWhGARiJkphGVUIHGPbuRT$test$ufbnZliCpZUC$xYkjuJSqadlOiugxfIpzKjgZDTFoNnCnHmZfTGXcMp$yhSgNAGGnoCrV
                                                              • API String ID: 3920412304-1051989891
                                                              • Opcode ID: 74151fa933532b062483c08dd0550bd959f71a4b5b3ad77149e20e910f915c7b
                                                              • Instruction ID: b07ae0d02132a072cd82640ebcb34a2cdbc8c4fc196623724ee9c8f2b2970ed6
                                                              • Opcode Fuzzy Hash: 74151fa933532b062483c08dd0550bd959f71a4b5b3ad77149e20e910f915c7b
                                                              • Instruction Fuzzy Hash: E79319B5900218DFDB14DFA4DD88BDEB7B5FB48304F2081AAE50AB72A0DB745A85CF54
                                                              Function 00425A80 Relevance: 693.6, APIs: 353, Strings: 42, Instructions: 2374COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1537 425a80-425d57 __vbaChkstk __vbaOnError __vbaStrCat __vbaStrMove #712 __vbaStrMove __vbaStrCat __vbaStrMove #716 __vbaVarZero __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall #716 __vbaVarZero __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall 1538 42699e-426a0c __vbaStrCopy __vbaStrToAnsi call 409d84 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 1537->1538 1539 425d5d-425daa call 4432f0 __vbaStrCopy call 443130 __vbaFreeStr 1537->1539 1545 426a12-426af5 __vbaStrToAnsi * 2 call 409e1c __vbaSetSystemError __vbaStrToUnicode * 2 __vbaVarMove __vbaFreeStrList call 409eb8 __vbaSetSystemError #558 1538->1545 1546 427573-4275f3 call 409dd0 __vbaSetSystemError #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1538->1546 1551 425db0-425dd3 call 40a014 __vbaSetSystemError 1539->1551 1545->1546 1564 426afb-426b20 call 409eb8 __vbaSetSystemError 1545->1564 1553 42828a-4282b9 #529 1546->1553 1554 4275f9-427661 __vbaStrCopy __vbaStrToAnsi call 409d84 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 1546->1554 1562 426310-4263af call 409fcc __vbaSetSystemError call 443380 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1551->1562 1563 425dd9-425eb1 call 442f20 __vbaVarMove call 442f20 __vbaVarMove call 442fb0 __vbaAryMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 1551->1563 1560 42838c-42845f __vbaFreeVarList __vbaAryDestruct * 4 __vbaFreeVar * 2 __vbaFreeStr __vbaAryDestruct __vbaFreeStr __vbaFreeVar * 2 __vbaFreeStr * 5 1553->1560 1565 427667-42774a __vbaStrToAnsi * 2 call 409e1c __vbaSetSystemError __vbaStrToUnicode * 2 __vbaVarMove __vbaFreeStrList call 409eb8 __vbaSetSystemError #558 1554->1565 1566 42824d-428284 call 409dd0 __vbaSetSystemError #529 1554->1566 1586 4263b5-4263ff call 4432f0 __vbaStrCopy call 443130 __vbaFreeStr 1562->1586 1587 426999 1562->1587 1598 425eb7-426308 call 435540 __vbaVarMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCat __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarCat * 8 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1563->1598 1599 42630b 1563->1599 1579 426b26-426b64 __vbaI2I4 1564->1579 1580 428479-42847f __vbaErrorOverflow 1564->1580 1565->1566 1593 427750-427775 call 409eb8 __vbaSetSystemError 1565->1593 1566->1553 1579->1546 1585 426b6a-426df9 __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq * 2 __vbaVarOr __vbaVarNot __vbaBoolVarNull 1579->1585 1590 427567 1585->1590 1591 426dff-427094 __vbaChkstk * 2 __vbaVarIndexLoad __vbaI4Var __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 __vbaInStrVar * 2 __vbaVarOr __vbaBoolVarNull __vbaFreeStrList __vbaFreeVarList 1585->1591 1610 426405-426428 call 40a014 __vbaSetSystemError 1586->1610 1587->1553 1590->1546 1591->1590 1635 42709a-4270b1 1591->1635 1593->1580 1607 42777b-4277b9 __vbaI2I4 1593->1607 1598->1599 1599->1551 1607->1566 1615 4277bf-427ba9 __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarCat __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarCat __vbaVarMove __vbaFreeVarList __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq * 2 __vbaVarOr __vbaVarCmpEq __vbaVarOr __vbaVarCmpEq __vbaVarOr __vbaBoolVarNull 1607->1615 1625 42642e-42656f call 442f20 __vbaVarMove call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove call 442f20 __vbaStrMove __vbaStrCat __vbaVarMove __vbaFreeStrList call 442fb0 __vbaAryMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 1610->1625 1626 42693d-426993 call 409fcc __vbaSetSystemError call 443380 #529 1610->1626 1616 427bb0-427d8d __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 __vbaInStrVar * 2 __vbaVarOr __vbaBoolVarNull __vbaFreeStrList __vbaFreeVarList 1615->1616 1617 427bab 1615->1617 1621 428241 1616->1621 1661 427d93-427e62 __vbaChkstk * 2 __vbaVarIndexLoad __vbaI4Var __vbaFreeVar 1616->1661 1617->1621 1621->1566 1664 426575-426932 call 435540 __vbaVarMove __vbaStrCat __vbaVarCat * 8 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrErrVarCopy __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrCat __vbaStrMove call 428480 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr 1625->1664 1665 426938 1625->1665 1626->1587 1635->1580 1640 4270b7-427564 __vbaStrErrVarCopy __vbaStrMove call 43bf50 __vbaAryMove __vbaFreeStr call 435540 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCat __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarCat * 8 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1635->1640 1640->1590 1661->1580 1666 427e68-42823e __vbaStrErrVarCopy __vbaStrMove call 43bf50 __vbaAryMove __vbaFreeStr call 435540 __vbaStrMove __vbaStrCat __vbaVarCat * 5 __vbaStrVarMove __vbaStrMove __vbaFreeVarList __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 428480 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1661->1666 1664->1665 1665->1610 1666->1621
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,0041B14E,?,00447040,?), ref: 00425A9E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 00425ACE
                                                              • __vbaStrCat.MSVBVM60(\LogabacusesxBGTaeIfvTUzjaQgHAWxNnWeaZsQuFodevotionality,00778314), ref: 00425AF4
                                                              • __vbaStrMove.MSVBVM60 ref: 00425B02
                                                              • #712.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00425B25
                                                              • __vbaStrMove.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00425B33
                                                              • __vbaStrCat.MSVBVM60(\WebData,00778314,?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00425B4B
                                                              • __vbaStrMove.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00425B56
                                                              • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00425B71
                                                              • __vbaVarZero.MSVBVM60(?,Login Data,Web Data,00000001,000000FF,00000000), ref: 00425B83
                                                              • __vbaChkstk.MSVBVM60 ref: 00425BCA
                                                              • __vbaChkstk.MSVBVM60 ref: 00425BF9
                                                              • __vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 00425C31
                                                              • __vbaLateMemCall.MSVBVM60(00000000), ref: 00425C38
                                                              • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 00425C67
                                                              • __vbaVarZero.MSVBVM60 ref: 00425C79
                                                              • __vbaChkstk.MSVBVM60 ref: 00425CC0
                                                              • __vbaChkstk.MSVBVM60 ref: 00425CEF
                                                              • __vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 00425D27
                                                              • __vbaLateMemCall.MSVBVM60(00000000), ref: 00425D2E
                                                              • __vbaStrCopy.MSVBVM60(?), ref: 00425D88
                                                                • Part of subcall function 00443130: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,?,00000000), ref: 0044317E
                                                                • Part of subcall function 00443130: __vbaAryMove.MSVBVM60(?,?,7@), ref: 0044319B
                                                                • Part of subcall function 00443130: __vbaLbound.MSVBVM60(00000001,?), ref: 004431A7
                                                                • Part of subcall function 00443130: __vbaUbound.MSVBVM60(00000001,?), ref: 004431B5
                                                                • Part of subcall function 00443130: __vbaAryLock.MSVBVM60(?,?), ref: 004431D6
                                                                • Part of subcall function 00443130: __vbaGenerateBoundsError.MSVBVM60 ref: 004431F5
                                                                • Part of subcall function 00443130: #644.MSVBVM60(00000000), ref: 00443217
                                                                • Part of subcall function 00443130: __vbaAryUnlock.MSVBVM60(?), ref: 00443220
                                                                • Part of subcall function 00443130: __vbaSetSystemError.MSVBVM60(?,?,-00000001,?,?), ref: 0044323E
                                                                • Part of subcall function 00443130: __vbaAryLock.MSVBVM60(?,?), ref: 0044324C
                                                              • __vbaFreeStr.MSVBVM60(?,?), ref: 00425DAA
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 00425DC6
                                                              • __vbaVarMove.MSVBVM60(?,00000000), ref: 00425E04
                                                              • __vbaAryMove.MSVBVM60(?,00000064,?,00000002), ref: 00425E5E
                                                              • __vbaVarCmpEq.MSVBVM60(00000008,00008008,?), ref: 00425E91
                                                              • __vbaVarNot.MSVBVM60(?,00000000), ref: 00425E9F
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00425EA6
                                                              • __vbaVarMove.MSVBVM60(?,00000000), ref: 00425EE4
                                                              • __vbaStrCopy.MSVBVM60 ref: 00425EFC
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00425F16
                                                              • __vbaStrCopy.MSVBVM60 ref: 00425F27
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00425F41
                                                              • __vbaStrCat.MSVBVM60(Url : ,00000000), ref: 00425F53
                                                              • __vbaStrCopy.MSVBVM60 ref: 00425F88
                                                              • __vbaStrMove.MSVBVM60 ref: 00425FB0
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00425FF8
                                                              • __vbaStrMove.MSVBVM60 ref: 00426020
                                                              • __vbaVarCat.MSVBVM60(?,?,00000008,?,?), ref: 0042606F
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00426084
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00426099
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004260AB
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004260C0
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004260D5
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004260E7
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004260FC
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00426103
                                                              • __vbaStrMove.MSVBVM60 ref: 00426110
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 00426150
                                                              • __vbaFreeVarList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,?,?), ref: 004261A8
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004261DD
                                                              • __vbaStrCopy.MSVBVM60 ref: 004261EE
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042623E
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00426245
                                                              • __vbaStrMove.MSVBVM60 ref: 00426253
                                                              • __vbaStrCat.MSVBVM60(00000000,00000000), ref: 00426260
                                                              • __vbaStrMove.MSVBVM60 ref: 0042626E
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0042627A
                                                              • __vbaStrMove.MSVBVM60 ref: 00426288
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 00426294
                                                              • __vbaStrMove.MSVBVM60 ref: 004262A2
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 004262AE
                                                              • __vbaStrMove.MSVBVM60 ref: 004262BB
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,00000000), ref: 00426302
                                                              • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004264F0
                                                                • Part of subcall function 00442FB0: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044309C
                                                                • Part of subcall function 00442FB0: __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 004430C9
                                                                • Part of subcall function 00442FB0: __vbaAryDestruct.MSVBVM60(00000000,?,0044310C,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00443105
                                                              • __vbaAryMove.MSVBVM60(?,?,?,00000003), ref: 0042651C
                                                              • __vbaVarCmpEq.MSVBVM60(?,00008008,?), ref: 0042654F
                                                              • __vbaVarNot.MSVBVM60(?,00000000), ref: 0042655D
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00426564
                                                              • __vbaVarMove.MSVBVM60(?,00000000), ref: 004265A2
                                                              • __vbaStrCat.MSVBVM60(Name on Card: ,00000000), ref: 004265BA
                                                              • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00426646
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 0042665B
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00426670
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00426682
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00426697
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004266AC
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004266BE
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004266D3
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004266DA
                                                              • __vbaStrMove.MSVBVM60 ref: 004266E7
                                                              • __vbaFreeVarList.MSVBVM60(00000009,00000008,?,?,?,?,?,?,?,?), ref: 0042672E
                                                              • __vbaStrCopy.MSVBVM60 ref: 00426749
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00426763
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0042676D
                                                              • __vbaStrMove.MSVBVM60 ref: 0042677B
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042678C
                                                              • __vbaStrMove.MSVBVM60 ref: 004267B4
                                                              • __vbaStrCat.MSVBVM60(Card Type: ,00000000), ref: 004267C5
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 004267EE
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004267F5
                                                              • __vbaStrMove.MSVBVM60 ref: 00426803
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0042680F
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0042683F
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00426846
                                                              • __vbaStrMove.MSVBVM60 ref: 00426854
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 00426861
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 0042686F
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000,?,00000000), ref: 0042687B
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 00426888
                                                              • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 004268E4
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00000000), ref: 004268FF
                                                              • __vbaStrMove.MSVBVM60 ref: 0042690D
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 00426919
                                                              • __vbaStrMove.MSVBVM60 ref: 00426926
                                                              • __vbaFreeStr.MSVBVM60 ref: 00426932
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 0042694D
                                                                • Part of subcall function 00443380: __vbaSetSystemError.MSVBVM60(?,00426345,00000064), ref: 0044338C
                                                              • #529.MSVBVM60(00004008,00000064), ref: 00426993
                                                              • __vbaStrMove.MSVBVM60 ref: 0042681D
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60 ref: 004267D3
                                                                • Part of subcall function 00428480: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0042849E
                                                                • Part of subcall function 00428480: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 004284CE
                                                                • Part of subcall function 00428480: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 004284EA
                                                                • Part of subcall function 00428480: __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 004284FE
                                                                • Part of subcall function 00428480: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0042850C
                                                                • Part of subcall function 00428480: __vbaStrMove.MSVBVM60 ref: 0042852B
                                                                • Part of subcall function 00428480: __vbaStrMove.MSVBVM60(?,?), ref: 00428543
                                                                • Part of subcall function 00428480: __vbaStrMove.MSVBVM60(00000000), ref: 00428564
                                                                • Part of subcall function 00428480: #716.MSVBVM60(?,00000000), ref: 0042856F
                                                                • Part of subcall function 00428480: __vbaObjVar.MSVBVM60(?), ref: 00428579
                                                                • Part of subcall function 00428480: __vbaObjSetAddref.MSVBVM60(00000000,00000000), ref: 00428584
                                                                • Part of subcall function 00428480: __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,?), ref: 004285A4
                                                                • Part of subcall function 00428480: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,004037E6), ref: 004285B0
                                                                • Part of subcall function 00428480: __vbaChkstk.MSVBVM60 ref: 004285D0
                                                              • __vbaStrMove.MSVBVM60 ref: 00426216
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrCopy.MSVBVM60 ref: 004261C3
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaVarMove.MSVBVM60(?,00000001), ref: 00425E35
                                                                • Part of subcall function 00442FB0: __vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00442FF2
                                                                • Part of subcall function 00442FB0: __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443002
                                                                • Part of subcall function 00442FB0: __vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443009
                                                                • Part of subcall function 00442FB0: __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443013
                                                                • Part of subcall function 00442FB0: __vbaSetSystemError.MSVBVM60(00403488,0042650B,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443024
                                                                • Part of subcall function 00442FB0: __vbaSetSystemError.MSVBVM60(00403488,0042650B,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 0044303C
                                                                • Part of subcall function 00442FB0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000), ref: 0044305F
                                                                • Part of subcall function 00442FB0: __vbaAryLock.MSVBVM60(?,?), ref: 00443070
                                                                • Part of subcall function 00442FB0: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044308F
                                                                • Part of subcall function 00442FB0: __vbaSetSystemError.MSVBVM60(00000000,00000000,?), ref: 004430B5
                                                                • Part of subcall function 00442FB0: __vbaAryUnlock.MSVBVM60(?), ref: 004430BB
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 00426320
                                                              • #645.MSVBVM60(00004008,00000000,00000064), ref: 0042636B
                                                              • __vbaStrMove.MSVBVM60 ref: 00426379
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00426385
                                                              • __vbaFreeStr.MSVBVM60 ref: 004263A0
                                                              • __vbaStrCopy.MSVBVM60(?), ref: 004263DD
                                                              • __vbaFreeStr.MSVBVM60(?,?), ref: 004263FF
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 0042641B
                                                              • __vbaVarMove.MSVBVM60(?,00000000), ref: 00426459
                                                              • __vbaStrMove.MSVBVM60(?,00000001), ref: 00426479
                                                              • __vbaStrCat.MSVBVM60(0040654C,00000000), ref: 00426485
                                                              • __vbaStrMove.MSVBVM60 ref: 00426493
                                                              • __vbaStrMove.MSVBVM60(?,00000002,00000000), ref: 004264AD
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004264B4
                                                              • __vbaVarMove.MSVBVM60 ref: 004264D3
                                                                • Part of subcall function 00442F20: __vbaSetSystemError.MSVBVM60(?,7@,?,00000000,?,?,?,00000000,004037E6), ref: 00442F60
                                                                • Part of subcall function 00442F20: __vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,00000000,004037E6), ref: 00442F77
                                                              • __vbaStrCopy.MSVBVM60 ref: 004269B0
                                                              • __vbaStrToAnsi.MSVBVM60(?,?,?), ref: 004269CF
                                                              • __vbaSetSystemError.MSVBVM60(00000000), ref: 004269DB
                                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 004269EF
                                                              • __vbaFreeStr.MSVBVM60 ref: 004269FB
                                                              • __vbaStrToAnsi.MSVBVM60(?,?), ref: 00426A27
                                                              • __vbaStrToAnsi.MSVBVM60(?,?,?,?), ref: 00426A49
                                                              • __vbaSetSystemError.MSVBVM60(?,00000000,00000000), ref: 00426A60
                                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00426A74
                                                              • __vbaStrToUnicode.MSVBVM60(?,?), ref: 00426A88
                                                              • __vbaVarMove.MSVBVM60 ref: 00426A97
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00426AAD
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 00426ACC
                                                              • #558.MSVBVM60(?), ref: 00426AD6
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 00426B11
                                                              • __vbaI2I4.MSVBVM60 ref: 00426B26
                                                                • Part of subcall function 004432F0: __vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 0044332F
                                                                • Part of subcall function 004432F0: __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 0044333B
                                                                • Part of subcall function 004432F0: __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 00443346
                                                                • Part of subcall function 004432F0: __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 0044334F
                                                              • #529.MSVBVM60(00004008), ref: 004282AE
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?,00428460), ref: 0042839C
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283AE
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283BD
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283CC
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004283DB
                                                              • __vbaFreeVar.MSVBVM60 ref: 004283E4
                                                              • __vbaFreeVar.MSVBVM60 ref: 004283ED
                                                              • __vbaFreeStr.MSVBVM60 ref: 004283F6
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00428402
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042840B
                                                              • __vbaFreeVar.MSVBVM60 ref: 00428414
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042841D
                                                              • __vbaFreeStr.MSVBVM60 ref: 00428429
                                                              • __vbaFreeStr.MSVBVM60 ref: 00428435
                                                              • __vbaFreeStr.MSVBVM60 ref: 00428441
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042844D
                                                              • __vbaFreeStr.MSVBVM60 ref: 00428459
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Error$CopySystem$List$Chkstk$Destruct$AnsiUnicode$#716BoundsBstrGenerateLock$#516#529#631BoolCallLateNullRedimStr2UnlockZero$#537#558#608#632#644#645#712AddrefLboundUbound
                                                              • String ID: 047778$2221010F0D1908102100274B7F6A$2236351B002F261C537950$254751$3E0E32262506000E6C4954$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$<pD$===============DARKCLOUD===============$Card Number: $Card Type: $CopyFile$Expiry Date; $H^@$LSvaLSIOiCO$Login Data$Name on Card: $SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$SELECT origin_url, username_value, password_value FROM logins$SELECT origin_url, username_value, password_value, length(password_value) FROM logins$Scripting.FileSystemObject$UnoAURirjLstwbtIVegZrKVdeQLzDpJt$Url : $VrFIIhuTxEJDgJvDKDmSLWijIGOIJAwTCJbiOOEhjL$Web Data$\LogabacusesxBGTaeIfvTUzjaQgHAWxNnWeaZsQuFodevotionality$\WebData$acQqcdzidHoIkEJjVRTRveXnvHgFXysROQijIGKahB$b$card_number_encrypted$d$expiration_month\expiration_year$name_on_card$username_value$ywEPinNKysCpaeMSnVLMtB
                                                              • API String ID: 102252830-1506275019
                                                              • Opcode ID: 0bde710a5e7f6be858d2ec6170400dc416c89e67ec37dda02aa46385cde25996
                                                              • Instruction ID: 86688f994f611e29287f8689958bd7fc7e3ee3fe4f6369ef21ac7e7f275fd57e
                                                              • Opcode Fuzzy Hash: 0bde710a5e7f6be858d2ec6170400dc416c89e67ec37dda02aa46385cde25996
                                                              • Instruction Fuzzy Hash: C833F7B59002189FDB15DF90CD98BDEB7B9BB48304F1081EAE60AB7260DB745B88CF55
                                                              Function 0042ACE0 Relevance: 621.4, APIs: 308, Strings: 46, Instructions: 1939COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1695 42ace0-42add6 __vbaChkstk __vbaAryConstruct2 * 2 __vbaOnError __vbaStrCopy call 438f20 __vbaAryMove __vbaFreeStr __vbaForEachAry 1698 42aeb1-42aeb8 1695->1698 1699 42addb-42ae31 __vbaStrErrVarCopy __vbaStrMove __vbaInStr __vbaFreeStr 1698->1699 1700 42aebe-42aed6 __vbaStrCmp 1698->1700 1701 42ae33-42ae85 __vbaStrErrVarCopy __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr __vbaExitEachAry 1699->1701 1702 42ae87-42aeab __vbaNextEachAry 1699->1702 1703 42b226-42b239 __vbaLenBstrB 1700->1703 1704 42aedc-42b0a9 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 #716 __vbaVarZero __vbaFreeStrList __vbaChkstk __vbaVarLateMemCallLd __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrCopy call 438890 1700->1704 1701->1700 1702->1698 1705 42b240-42b25c __vbaInStr 1703->1705 1706 42b23b 1703->1706 1719 42b0ae-42b1e7 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 #712 __vbaStrMove __vbaFreeStrList #712 __vbaStrMove __vbaLenBstr 1704->1719 1709 42b25e-42b26b 1705->1709 1710 42b26d-42b274 1705->1710 1708 42ce08-42cfad __vbaAryUnlock * 2 __vbaFreeVarList __vbaAryDestruct * 2 __vbaFreeStr * 2 __vbaAryDestruct * 2 __vbaFreeStr * 3 __vbaAryDestruct __vbaFreeStr __vbaFreeVar __vbaAryDestruct 1706->1708 1714 42b27a-42b340 __vbaStrCopy call 438890 __vbaStrMove #520 __vbaStrCopy __vbaStrMove call 4379a0 1709->1714 1710->1714 1723 42b342-42b34c 1714->1723 1724 42b34e-42b354 __vbaGenerateBoundsError 1714->1724 1727 42cfc2-42cfc8 __vbaErrorOverflow 1719->1727 1728 42b1ed-42b220 #617 __vbaStrVarMove __vbaStrMove __vbaFreeVar 1719->1728 1726 42b35a-42b4b2 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove #520 __vbaStrCopy __vbaStrMove call 4379a0 1723->1726 1724->1726 1733 42b4c0-42b4c6 __vbaGenerateBoundsError 1726->1733 1734 42b4b4-42b4be 1726->1734 1728->1703 1735 42b4cc-42b624 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove #520 __vbaStrCopy __vbaStrMove call 4379a0 1733->1735 1734->1735 1740 42b632-42b638 __vbaGenerateBoundsError 1735->1740 1741 42b626-42b630 1735->1741 1742 42b63e-42b74c __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove 1740->1742 1741->1742 1745 42b75a-42b760 __vbaGenerateBoundsError 1742->1745 1746 42b74e-42b758 1742->1746 1747 42b766-42b845 call 4379a0 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove 1745->1747 1746->1747 1752 42b853-42b859 __vbaGenerateBoundsError 1747->1752 1753 42b847-42b851 1747->1753 1754 42b85f-42b93e call 4379a0 __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove 1752->1754 1753->1754 1759 42b940-42b94a 1754->1759 1760 42b94c-42b952 __vbaGenerateBoundsError 1754->1760 1761 42b958-42b9fc call 4379a0 __vbaStrMove __vbaStrCopy __vbaFreeStrList 1759->1761 1760->1761 1761->1708 1765 42ba02-42ba1a 1761->1765 1766 42ba28-42ba2e __vbaGenerateBoundsError 1765->1766 1767 42ba1c-42ba26 1765->1767 1768 42ba34-42ba9c #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 1766->1768 1767->1768 1769 42baa3-42bacb 1768->1769 1770 42ba9e 1768->1770 1772 42bad9-42badf __vbaGenerateBoundsError 1769->1772 1773 42bacd-42bad7 1769->1773 1771 42cdfc 1770->1771 1771->1708 1774 42bae5-42bb22 call 438f20 __vbaAryMove 1772->1774 1773->1774 1777 42cd0b-42cdf6 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat #529 __vbaFreeStrList __vbaFreeVar 1774->1777 1778 42bb28-42bb56 __vbaForEachAry 1774->1778 1777->1771 1779 42ccfe-42cd05 1778->1779 1779->1777 1781 42bb5b-42bb73 1779->1781 1783 42bb81-42bb87 __vbaGenerateBoundsError 1781->1783 1784 42bb75-42bb7f 1781->1784 1786 42bb8d-42bf96 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeVar #716 __vbaVarZero __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove call 42dc90 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaInStrVar __vbaBoolVarNull __vbaFreeStrList __vbaFreeVarList 1783->1786 1784->1786 1802 42c051-42c320 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 call 42dfd0 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 #712 __vbaStrMove call 43c0d0 __vbaStrMove __vbaFreeStrList 1786->1802 1803 42bf9c-42c04c __vbaStrVarVal #709 __vbaLenVar __vbaVarSub __vbaI4Var #619 __vbaStrVarMove __vbaStrMove __vbaFreeStr __vbaFreeVar 1786->1803 1804 42c323-42c922 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 call 42dfd0 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 call 42dfd0 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 #712 __vbaStrMove call 43c0d0 __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 #712 __vbaStrMove call 43c0d0 __vbaStrMove __vbaFreeStrList call 42e1f0 __vbaStrMove __vbaStrCmp * 2 1802->1804 1803->1804 1855 42ccd4-42ccf8 __vbaNextEachAry 1804->1855 1856 42c928-42ccd1 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrCopy __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 1804->1856 1855->1779 1856->1855
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0042ACFE
                                                              • __vbaAryConstruct2.MSVBVM60(?,0040BAA0,00000008,?,00000000,?,00000000,004037E6), ref: 0042AD30
                                                              • __vbaAryConstruct2.MSVBVM60(?,0040BAA0,00000008,?,00000000,?,00000000,004037E6), ref: 0042AD41
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 0042AD50
                                                              • __vbaAryMove.MSVBVM60(?,?,?,00447064,?,00000000,?,00000000,004037E6), ref: 0042AD93
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0042AD9F
                                                              • __vbaForEachAry.MSVBVM60(00000008,?,?,?,?,?,00000000,?,00000000,004037E6), ref: 0042ADCA
                                                              • __vbaStrErrVarCopy.MSVBVM60(?,00000001), ref: 0042ADEB
                                                              • __vbaStrMove.MSVBVM60 ref: 0042ADF9
                                                              • __vbaInStr.MSVBVM60(00000000,Foxmail,00000000), ref: 0042AE07
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042AE22
                                                              • __vbaStrErrVarCopy.MSVBVM60(?), ref: 0042AE41
                                                              • __vbaStrMove.MSVBVM60 ref: 0042AE4F
                                                              • __vbaStrCat.MSVBVM60(0040654C,00000000), ref: 0042AE5B
                                                              • __vbaStrMove.MSVBVM60 ref: 0042AE66
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042AE72
                                                              • __vbaExitEachAry.MSVBVM60(?), ref: 0042AE7F
                                                              • __vbaStrCmp.MSVBVM60(00405E48,?), ref: 0042AECE
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042AEEE
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0042AF08
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042AF19
                                                              • __vbaStrMove.MSVBVM60 ref: 0042AF41
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0042AF62
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0042AF8C
                                                              • #716.MSVBVM60(?,00000000), ref: 0042AF9A
                                                              • __vbaVarZero.MSVBVM60 ref: 0042AFAC
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0042AFEA
                                                              • __vbaChkstk.MSVBVM60 ref: 0042B013
                                                              • __vbaVarLateMemCallLd.MSVBVM60(?,?,RegRead,00000001), ref: 0042B052
                                                              • __vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,004037E6), ref: 0042B05C
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,004037E6), ref: 0042B067
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,004037E6), ref: 0042B073
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0042B0B6
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042B0C7
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0042B110
                                                              • __vbaStrMove.MSVBVM60(00405E48,00000001,000000FF,00000000), ref: 0042B143
                                                              • #712.MSVBVM60(?,00000000), ref: 0042B14E
                                                              • __vbaStrMove.MSVBVM60 ref: 0042B159
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0042B18B
                                                              • #712.MSVBVM60(?,00406544,00405E48,00000001,000000FF,00000000), ref: 0042B1AF
                                                              • __vbaStrMove.MSVBVM60 ref: 0042B1BA
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 0042B1DE
                                                              • #617.MSVBVM60(?,00004008,-00000002), ref: 0042B1FC
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 0042B209
                                                              • __vbaStrMove.MSVBVM60 ref: 0042B214
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042B220
                                                              • __vbaLenBstrB.MSVBVM60(?), ref: 0042B231
                                                              • __vbaInStr.MSVBVM60(00000000,0040C098,?,00000001), ref: 0042B254
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042B28C
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0042B2A6
                                                              • #520.MSVBVM60(?,00004008), ref: 0042B2CD
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042B2DE
                                                              • __vbaStrMove.MSVBVM60 ref: 0042B306
                                                              • __vbaStrMove.MSVBVM60 ref: 0042B0EF
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042B09C
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0042AD68
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438F3E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438F6E
                                                                • Part of subcall function 00438890: #645.MSVBVM60(00004008,00000010), ref: 00438F95
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00438FA0
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(00405E48,?), ref: 00438FC3
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040651C,?), ref: 00438FE1
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040D734,?), ref: 00438FF7
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043901D
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00439028
                                                                • Part of subcall function 00438890: #579.MSVBVM60(00000000), ref: 0043902F
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60 ref: 00439049
                                                                • Part of subcall function 00438890: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 00439078
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0042B36F
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0042B376
                                                              • __vbaStrMove.MSVBVM60 ref: 0042B384
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042B398
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0042B3C3
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,00000000,?,00000000,004037E6), ref: 0042B3E3
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004037E6), ref: 0042B3FE
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 0042B418
                                                              • __vbaAryUnlock.MSVBVM60(?,0042CFAE), ref: 0042CED6
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 0042CEE3
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042CEF9
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CF0B
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CF1A
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,004037E6), ref: 0042CF23
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,004037E6), ref: 0042CF2C
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CF38
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CF50
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,004037E6), ref: 0042CF59
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,004037E6), ref: 0042CF62
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,004037E6), ref: 0042CF6B
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CF83
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,004037E6), ref: 0042CF8C
                                                              • __vbaFreeVar.MSVBVM60(?,00000000,004037E6), ref: 0042CF98
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042CFA7
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 0042CFC2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$DestructList$Bstr$ChkstkError$#516#631#712Construct2EachUnlock$#520#537#579#608#617#632#645#716CallExitLateOverflowPreserveRedimZero
                                                              • String ID: 000B05200B$0A1F313F3E2F3B1A190D376F705835360C1F060015$0A34191F24212F16052F1C062410113430$0D253B113A25060F211A1C$0F3918190A$11181617161B0A207D2A2700$181F0634000201082A123F210F00$19320F340A1E211A5C26292D5B$1F34052F20$20212E152B14227F310F140000$2236351B002F261C537950$25333627013012182D06123C002C013C6C2523321E$28213B2A2634300F211B231B3E300B$3702112A37112216381F0213082C07272C4A3E072873$381B20262207052D$3E0E32262506000E6C4954$3E173C1F14311D6D231113$3F332B312B2D1726$===============DARKCLOUD===============$@$C:\\$CopyFile$FlGDCJJrzahJDSQxdZMSHp$Foxmail$GBPOvULhhrIPf$HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command\$JEslWekOnrTLNk$MWjrSokooyw$MyrUDBVuDleqSuBuOBQGSjs$OMYutyndTSYSgyhohIgnRd$PZYdFLHNGFvrtgJnNKcjijLfUOVSObMP$QKoASWLZnpbYOJxsYtRgiyJrDyvnHZVTNX$RZQkvKEFuFGyeODxYUkIa$RegRead$Scripting.FileSystemObject$UnoAURirjLstwbtIVegZrKVdeQLzDpJt$UpFpVIFtGPDIHBtvSHWjBYgnBzrGQQbUo$Url : $ehzSUUhwIjNxsWiEgGwbmhvDCSNBYKdrwQxdQriprs$lwrMgBdVQbgql$pkCrIXdLbKCC$rKXlxVRkUWgySSgwpKrUWijVBKVbCLRGYf$rmOZHJQcfFuBoKBnbKaClnX$rmjlLWbuuBEcOKtVKMjcbN$rxxDruXqCFivm$ywEPinNKysCpaeMSnVLMtB
                                                              • API String ID: 3369885347-2502826596
                                                              • Opcode ID: 2b96bb4aed277c6d80fa5ba9269b225517646f3a996fdf1804d5cd4ebde720c3
                                                              • Instruction ID: b35aac41b0d424cf20c0db684bbbcc05244b37876a74fdb63063e915b60b28d1
                                                              • Opcode Fuzzy Hash: 2b96bb4aed277c6d80fa5ba9269b225517646f3a996fdf1804d5cd4ebde720c3
                                                              • Instruction Fuzzy Hash: 6713F675900228DFDB24DF60DD88BDEB779BB49300F1081EAE50AB6260EB745B89CF55
                                                              Function 0041C3F0 Relevance: 611.5, APIs: 312, Strings: 36, Instructions: 2467COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,00000000,?,00000000,004037E6), ref: 0041C40E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 0041C43E
                                                              • __vbaUbound.MSVBVM60(00000001,00759B58,?,00000000,?,00000000,004037E6), ref: 0041C453
                                                              • __vbaI2I4.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0041C45B
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C4F8
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C515
                                                              • __vbaStrCat.MSVBVM60(\accounts.xml,00759B58), ref: 0041C538
                                                              • #645.MSVBVM60(00000008,00000000), ref: 0041C557
                                                              • __vbaStrMove.MSVBVM60 ref: 0041C562
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0041C56E
                                                              • __vbaFreeStr.MSVBVM60 ref: 0041C586
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041C592
                                                              • __vbaNew2.MSVBVM60(004078B0,00000000), ref: 0041C5BD
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C62D
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041C64A
                                                              • __vbaStrCat.MSVBVM60(\accounts.xml,00759B58), ref: 0041C66E
                                                              • __vbaChkstk.MSVBVM60(?), ref: 0041C690
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407520,000000E8), ref: 0041C6F8
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041C716
                                                              • __vbaNew2.MSVBVM60(004078B0,00000000), ref: 0041C732
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407520,000000B4), ref: 0041C79F
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000030), ref: 0041C802
                                                              • __vbaObjSet.MSVBVM60(?,?), ref: 0041C83E
                                                              • __vbaForEachCollObj.MSVBVM60(00407980,?,00000000,00000000), ref: 0041C855
                                                              • __vbaFreeObj.MSVBVM60 ref: 0041C867
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041C881
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041C895
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041C8A3
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041C8B7
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041C8C5
                                                              • __vbaStrMove.MSVBVM60 ref: 0041C8E4
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000030), ref: 0041C920
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408010,0000001C), ref: 0041C985
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000068), ref: 0041C9E5
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041CA05
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CA24
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000030), ref: 0041CA60
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408010,0000001C), ref: 0041CAC5
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041CB25
                                                              • __vbaStrMove.MSVBVM60(?,?,0075A484), ref: 0041CB56
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041CB5D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CB68
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041CB73
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CB7E
                                                              • __vbaStrMove.MSVBVM60(?,?,00405C14,00000000), ref: 0041CB9C
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041CBA3
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CBAE
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041CBB5
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CBC0
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041CBCB
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CBD6
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041CBE2
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CBEF
                                                              • __vbaFreeStrList.MSVBVM60(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041CC3B
                                                              • __vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041CC62
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041CC8E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041CC9C
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041CCB0
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041CCBE
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CCDD
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000030), ref: 0041CD19
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408010,0000001C), ref: 0041CD7E
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041CDDE
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041CDFE
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CE1D
                                                              • __vbaStrMove.MSVBVM60(?,?,0075A484), ref: 0041CE3C
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041CE43
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CE4E
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041CE59
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CE64
                                                              • __vbaStrMove.MSVBVM60(?,?,00405C14,00000000), ref: 0041CE82
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041CE89
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CE94
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041CE9B
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CEA6
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,00405C14,00000000), ref: 0041CEB7
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CEC2
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041CEC9
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CED4
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041CEE0
                                                              • __vbaStrMove.MSVBVM60 ref: 0041CEED
                                                              • __vbaFreeStrList.MSVBVM60(00000011,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041CF39
                                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041CF52
                                                              • __vbaNextEachCollObj.MSVBVM60(00407980,?,00000000), ref: 0041CF72
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041CFDA
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041CFF7
                                                              • __vbaStrCat.MSVBVM60(\recentservers.xml,00759B58), ref: 0041D01B
                                                              • #645.MSVBVM60(00000008,00000000), ref: 0041D03A
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D045
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0041D051
                                                              • __vbaFreeStr.MSVBVM60 ref: 0041D069
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041D075
                                                              • __vbaNew2.MSVBVM60(004078B0,00000000), ref: 0041D0A0
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D10F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041D12C
                                                              • __vbaStrCat.MSVBVM60(\recentservers.xml,00759B58), ref: 0041D150
                                                              • __vbaChkstk.MSVBVM60(?), ref: 0041D172
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407520,000000E8), ref: 0041D1DA
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041D1F8
                                                              • __vbaNew2.MSVBVM60(004078B0,00000000), ref: 0041D214
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407520,000000DC), ref: 0041D286
                                                              • __vbaObjSet.MSVBVM60(?,?), ref: 0041D2C2
                                                              • __vbaForEachCollObj.MSVBVM60(00407980,?,00000000,00000000), ref: 0041D2D9
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D2F9
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D30D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D31B
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041D352
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D360
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D374
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D382
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041D3BC
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0041D3E2
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041D41E
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000068), ref: 0041D47E
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D4BC
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041D4F8
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041D558
                                                              • __vbaStrCat.MSVBVM60(Url : ftp://,0075A484), ref: 0041D57B
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D586
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041D591
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D59C
                                                              • __vbaStrCat.MSVBVM60(004064D4,00000000), ref: 0041D5A8
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D5B3
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041D5BE
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D5C9
                                                              • __vbaStrCat.MSVBVM60(00406524,00000000), ref: 0041D5D5
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D5E0
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041D5EC
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D5F9
                                                              • __vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041D650
                                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D669
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D681
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D695
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D6A3
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D6B7
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D6C5
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D6E4
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041D6FC
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D70A
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D729
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D74F
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041D78B
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041D7EB
                                                              • __vbaStrMove.MSVBVM60(?,?,0075A484), ref: 0041D81C
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041D823
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D82E
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041D839
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D844
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041D850
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D85D
                                                              • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041D89D
                                                              • __vbaFreeObj.MSVBVM60 ref: 0041D8AC
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D8C1
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D8D5
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041D8E3
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D902
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041D91A
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041D940
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041D97C
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041D9DC
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DA0D
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0041DA2D
                                                              • __vbaFreeObj.MSVBVM60 ref: 0041DA3C
                                                              • __vbaAryMove.MSVBVM60(?,?,?), ref: 0041DA63
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 0041DA76
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041DA97
                                                              • __vbaNextEachCollObj.MSVBVM60(00407980,?,00000000), ref: 0041DAB4
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041DBA7
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DBB2
                                                              • __vbaStrMove.MSVBVM60(00000000,?,00405C14,00000000), ref: 0041DBD0
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041DBD7
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DBE2
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041DBE9
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DBF4
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041DC00
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DC0D
                                                              • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000), ref: 0041DC4D
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,0075A484), ref: 0041DC69
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DC74
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041DC80
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DC8D
                                                              • __vbaFreeStr.MSVBVM60 ref: 0041DC96
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041DCAB
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041DCFE
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041DD1B
                                                              • __vbaStrCat.MSVBVM60(\sitemanager.xml,00759B58), ref: 0041DD3E
                                                              • #645.MSVBVM60(00000008,00000000), ref: 0041DD5D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DD68
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0041DD74
                                                              • __vbaFreeStr.MSVBVM60 ref: 0041DD8C
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041DD98
                                                              • __vbaNew2.MSVBVM60(004078B0,00000000), ref: 0041DDC3
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041DE33
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0041DE50
                                                              • __vbaStrCat.MSVBVM60(\sitemanager.xml,00759B58), ref: 0041DE74
                                                              • __vbaChkstk.MSVBVM60(?), ref: 0041DE96
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407520,000000E8), ref: 0041DEFE
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041DF1C
                                                              • __vbaNew2.MSVBVM60(004078B0,00000000), ref: 0041DF38
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407520,000000DC), ref: 0041DFAA
                                                              • __vbaObjSet.MSVBVM60(?,?), ref: 0041DFE6
                                                              • __vbaForEachCollObj.MSVBVM60(00407980,?,00000000,00000000), ref: 0041DFFD
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E01D
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E031
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E03F
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E05E
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D3A1
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60 ref: 0041D33A
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041DADC
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041DAF0
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041DAFE
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0041DB12
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041DB20
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DB3F
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041DB4D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DB6C
                                                              • __vbaStrMove.MSVBVM60(?,?,0075A484), ref: 0041DB8A
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041DB91
                                                              • __vbaStrMove.MSVBVM60 ref: 0041DB9C
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041CC7A
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041E076
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E084
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E098
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E0A6
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E0C5
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041E0E0
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0041E106
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041E142
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000068), ref: 0041E1A2
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E1E0
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041E21C
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041E27C
                                                              • __vbaStrCat.MSVBVM60(Url : ftp://,0075A484), ref: 0041E2A0
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E2AB
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041E2B6
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E2C1
                                                              • __vbaStrCat.MSVBVM60(004064D4,00000000), ref: 0041E2CD
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E2D8
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041E2E3
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E2EE
                                                              • __vbaStrCat.MSVBVM60(00406524,00000000), ref: 0041E2FA
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E305
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041E311
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E31E
                                                              • __vbaFreeStrList.MSVBVM60(00000013,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E375
                                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E38E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E3A6
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E3BA
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E3C8
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E3DC
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E3EA
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E409
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041E421
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E42F
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E44E
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E474
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041E4B0
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041E510
                                                              • __vbaStrMove.MSVBVM60(?,?,0075A484), ref: 0041E540
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041E547
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E552
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041E55D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E568
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041E574
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E581
                                                              • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041E5C1
                                                              • __vbaFreeObj.MSVBVM60 ref: 0041E5D0
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E5E5
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E5F9
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E607
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E626
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041E63E
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E664
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00407980,00000094), ref: 0041E6A0
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00407980,00000068), ref: 0041E700
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E731
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,00000000), ref: 0041E751
                                                              • __vbaFreeObj.MSVBVM60 ref: 0041E760
                                                              • __vbaAryMove.MSVBVM60(?,?,?), ref: 0041E787
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 0041E79A
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041E7BB
                                                              • __vbaNextEachCollObj.MSVBVM60(00407980,?,00000000), ref: 0041E7D8
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E800
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041E814
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E822
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E841
                                                              • __vbaStrMove.MSVBVM60(?,?,0075A484), ref: 0041E860
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041E867
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E872
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0041E87D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E888
                                                              • __vbaStrCat.MSVBVM60(Application : FileZilla,00405C14,00000000), ref: 0041E899
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E8A4
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041E8AB
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E8B6
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041E8C2
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E8CF
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,00000000,00000000,?,00000000), ref: 0041E8FB
                                                              • __vbaStrCat.MSVBVM60(===============DARKCLOUD===============,0075A484), ref: 0041E916
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E921
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 0041E92D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041E93A
                                                              • __vbaFreeStr.MSVBVM60 ref: 0041E943
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041E958
                                                              • __vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,0041EA99), ref: 0041EA41
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,004037E6), ref: 0041EA53
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,004037E6), ref: 0041EA62
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0041EA6B
                                                              • __vbaFreeObj.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0041EA74
                                                              • __vbaFreeObj.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0041EA7D
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0041EA86
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,004037E6), ref: 0041EA92
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$CheckHresult$List$Error$BoundsGenerate$CollEachNew2$Chkstk$#645BstrDestructNextUbound$#516#631$#537#608#632
                                                              • String ID: %$07183735$1735001D$192E1D39$213B3103$2236351B002F261C537950$24183D380F0F161E0207076E7F7A33030B000408$36061A0B1B27190C0F0606475F623E1D092616081C3F00$3E0E32262506000E6C4954$3E1605193726063A545457$8pD$8pD$8pD$8pD$8pD$8pD$8pD$8pD$8pD$8pD$===============DARKCLOUD===============$Application : FileZilla$FiTBwFbXNbNSTsWcxtNhIBCDsQHCSnHGG$GndjmXEiVtnwvmVhDistBIZ$Server$UnoAURirjLstwbtIVegZrKVdeQLzDpJt$Url : ftp://$YehMTflwjkhiNEZcjogmfnl$\accounts.xml$\recentservers.xml$\sitemanager.xml$lIOnJASyaVHwyLTWEXSksZMQ$oRkRGuihrxx$twvjgrDxxfihgeBxteCLapSaDEqXYRz$yGZriDwCiXnpuVMgzpOFIrqgLqgQBDJDvQ$ywEPinNKysCpaeMSnVLMtB
                                                              • API String ID: 2863888553-2382818966
                                                              • Opcode ID: f5d0e4580f046ba16b851de017a04ba0d7e40b34fb7d1f31f6551838b9ce5e8b
                                                              • Instruction ID: 0f577357a350a23fb56b84776780a2ecd00099e0a35730637c51ac1afdb7f25f
                                                              • Opcode Fuzzy Hash: f5d0e4580f046ba16b851de017a04ba0d7e40b34fb7d1f31f6551838b9ce5e8b
                                                              • Instruction Fuzzy Hash: 6A431775900218DFDB14DFA4DD98BDEB7B5FB48300F1081AAE50AB72A4DB345A89CF64
                                                              Function 0043FB30 Relevance: 535.5, APIs: 271, Strings: 34, Instructions: 1724COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2152 43fb30-43fd0a __vbaChkstk __vbaAryConstruct2 __vbaOnError __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2163 43fd18-43fd1e __vbaGenerateBoundsError 2152->2163 2164 43fd0c-43fd16 2152->2164 2165 43fd24-43fe8e #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2163->2165 2164->2165 2174 43fe90-43fe9a 2165->2174 2175 43fe9c-43fea2 __vbaGenerateBoundsError 2165->2175 2176 43fea8-440012 #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2174->2176 2175->2176 2185 440014-44001e 2176->2185 2186 440020-440026 __vbaGenerateBoundsError 2176->2186 2187 44002c-440196 #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2185->2187 2186->2187 2196 4401a4-4401aa __vbaGenerateBoundsError 2187->2196 2197 440198-4401a2 2187->2197 2198 4401b0-44031a #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2196->2198 2197->2198 2207 44031c-440326 2198->2207 2208 440328-44032e __vbaGenerateBoundsError 2198->2208 2209 440334-44049e #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2207->2209 2208->2209 2218 4404a0-4404aa 2209->2218 2219 4404ac-4404b2 __vbaGenerateBoundsError 2209->2219 2220 4404b8-440622 #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2218->2220 2219->2220 2229 440624-44062e 2220->2229 2230 440630-440636 __vbaGenerateBoundsError 2220->2230 2231 44063c-4407a6 #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2229->2231 2230->2231 2240 4407b4-4407ba __vbaGenerateBoundsError 2231->2240 2241 4407a8-4407b2 2231->2241 2242 4407c0-44092a #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove 2240->2242 2241->2242 2251 44092c-440936 2242->2251 2252 440938-44093e __vbaGenerateBoundsError 2242->2252 2253 440944-440adf #667 __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaStrCopy __vbaStrMove call 4379a0 2251->2253 2252->2253 2264 440ae1-440aeb 2253->2264 2265 440aed-440af3 __vbaGenerateBoundsError 2253->2265 2266 440af9-440c39 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 2264->2266 2265->2266 2271 440c47-440c4d __vbaGenerateBoundsError 2266->2271 2272 440c3b-440c45 2266->2272 2273 440c53-440d7c __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 2271->2273 2272->2273 2278 440d7e-440d88 2273->2278 2279 440d8a-440d90 __vbaGenerateBoundsError 2273->2279 2280 440d96-440e57 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList 2278->2280 2279->2280 2282 441150-441182 __vbaStrCat __vbaStrMove 2280->2282 2283 440e5d-440e75 2280->2283 2284 441184-44118e 2282->2284 2285 441190-441196 __vbaGenerateBoundsError 2282->2285 2286 440e77-440e81 2283->2286 2287 440e83-440e89 __vbaGenerateBoundsError 2283->2287 2288 44119c-441202 call 441700 __vbaStrMove __vbaFreeStrList __vbaStrCat __vbaStrMove 2284->2288 2285->2288 2289 440e8f-440ef2 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2286->2289 2287->2289 2296 441204-44120e 2288->2296 2297 441210-441216 __vbaGenerateBoundsError 2288->2297 2291 441144 2289->2291 2292 440ef8-440f58 #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2289->2292 2291->2282 2294 440f5a-440f65 #531 2292->2294 2295 440f6b-440f83 2292->2295 2294->2295 2298 440f85-440f8f 2295->2298 2299 440f91-440f97 __vbaGenerateBoundsError 2295->2299 2300 44121c-4412b1 call 441700 __vbaStrMove __vbaFreeStrList #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2296->2300 2297->2300 2301 440f9d-440fae 2298->2301 2299->2301 2309 4412b3-4412e7 __vbaStrCat __vbaStrMove call 43c940 __vbaFreeStr 2300->2309 2310 4412ed-44141d call 405884 Sleep __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 2300->2310 2302 440fb0-440fba 2301->2302 2303 440fbc-440fc2 __vbaGenerateBoundsError 2301->2303 2305 440fc8-440fd9 2302->2305 2303->2305 2307 440fe7-440fed __vbaGenerateBoundsError 2305->2307 2308 440fdb-440fe5 2305->2308 2311 440ff3-441042 __vbaLenBstr #709 2307->2311 2308->2311 2309->2310 2328 441516-44159d __vbaAryDestruct __vbaFreeStr 2310->2328 2329 441423-441513 call 43ceb0 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy * 2 call 441a70 __vbaFreeStrList 2310->2329 2314 4415b3-4415b9 __vbaErrorOverflow 2311->2314 2315 441048-4410f8 #619 __vbaStrCat __vbaVarAdd #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVarList 2311->2315 2319 4410fc-441114 2315->2319 2320 4410fa 2315->2320 2322 441116-441120 2319->2322 2323 441122-441128 __vbaGenerateBoundsError 2319->2323 2320->2291 2325 44112e-44113f call 4415c0 2322->2325 2323->2325 2325->2291 2329->2328
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0043FB4E
                                                              • __vbaAryConstruct2.MSVBVM60(?,0040E8E0,00000008,?,00000000,?,00000000,004037E6), ref: 0043FB80
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 0043FB8F
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0043FBA4
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 0043FBB8
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0043FBC6
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FBE5
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?,00778314), ref: 0043FC03
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043FC0A
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FC15
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043FC31
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 0043FC49
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0043FC5D
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 0043FC6B
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0043FC7F
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 0043FC8D
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FCAC
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?), ref: 0043FCD4
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 0043FCF3
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043FD18
                                                              • #667.MSVBVM60(00000008), ref: 0043FD2B
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FD36
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043FD4F
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043FD56
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FD61
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043FD75
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043FDA9
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FDB8
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FDCD
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FDE1
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FDEF
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FE03
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FE11
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FE30
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?), ref: 0043FE58
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 0043FE77
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043FE9C
                                                              • #667.MSVBVM60(00000008), ref: 0043FEAF
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FEBA
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043FED3
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043FEDA
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FEE5
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043FEF9
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0043FF2D
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043FF3C
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043FF51
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0043FF65
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043FF73
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0043FF87
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043FF95
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FFB4
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 0043FFDC
                                                              • __vbaStrMove.MSVBVM60 ref: 0043FFFB
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00440020
                                                              • #667.MSVBVM60(00000008), ref: 00440033
                                                              • __vbaStrMove.MSVBVM60 ref: 0044003E
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00440057
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0044005E
                                                              • __vbaStrMove.MSVBVM60 ref: 00440069
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044007D
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004400B1
                                                              • __vbaFreeVar.MSVBVM60 ref: 004400C0
                                                              • __vbaStrCopy.MSVBVM60 ref: 004400D5
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004400E9
                                                              • __vbaStrCopy.MSVBVM60 ref: 004400F7
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044010B
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440119
                                                              • __vbaStrMove.MSVBVM60 ref: 00440138
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00440160
                                                              • __vbaStrMove.MSVBVM60 ref: 0044017F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004401A4
                                                              • #667.MSVBVM60(00000008), ref: 004401B7
                                                              • __vbaStrMove.MSVBVM60 ref: 004401C2
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004401DB
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004401E2
                                                              • __vbaStrMove.MSVBVM60 ref: 004401ED
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440201
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00440235
                                                              • __vbaFreeVar.MSVBVM60 ref: 00440244
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440259
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044026D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044027B
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044028F
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044029D
                                                              • __vbaStrMove.MSVBVM60 ref: 004402BC
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 004402E4
                                                              • __vbaStrMove.MSVBVM60 ref: 00440303
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00440328
                                                              • #667.MSVBVM60(00000008), ref: 0044033B
                                                              • __vbaStrMove.MSVBVM60 ref: 00440346
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0044035F
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00440366
                                                              • __vbaStrMove.MSVBVM60 ref: 00440371
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440385
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004403B9
                                                              • __vbaFreeVar.MSVBVM60 ref: 004403C8
                                                              • __vbaStrCopy.MSVBVM60 ref: 004403DD
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004403F1
                                                              • __vbaStrCopy.MSVBVM60 ref: 004403FF
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00440413
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440421
                                                              • __vbaStrMove.MSVBVM60 ref: 00440440
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00440468
                                                              • __vbaStrMove.MSVBVM60 ref: 00440487
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004404AC
                                                              • #667.MSVBVM60(00000008), ref: 004404BF
                                                              • __vbaStrMove.MSVBVM60 ref: 004404CA
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004404E3
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004404EA
                                                              • __vbaStrMove.MSVBVM60 ref: 004404F5
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440509
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0044053D
                                                              • __vbaFreeVar.MSVBVM60 ref: 0044054C
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440561
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00440575
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440583
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00440597
                                                              • __vbaStrCopy.MSVBVM60 ref: 004405A5
                                                              • __vbaStrMove.MSVBVM60 ref: 004405C4
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 004405EC
                                                              • __vbaStrMove.MSVBVM60 ref: 0044060B
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00440630
                                                              • #667.MSVBVM60(00000008), ref: 00440643
                                                              • __vbaStrMove.MSVBVM60 ref: 0044064E
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00440667
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0044066E
                                                              • __vbaStrMove.MSVBVM60 ref: 00440679
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044068D
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004406C1
                                                              • __vbaFreeVar.MSVBVM60 ref: 004406D0
                                                              • __vbaStrCopy.MSVBVM60 ref: 004406E5
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004406F9
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440707
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044071B
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440729
                                                              • __vbaStrMove.MSVBVM60 ref: 00440748
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00440770
                                                              • __vbaStrMove.MSVBVM60 ref: 0044078F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004407B4
                                                              • #667.MSVBVM60(00000008), ref: 004407C7
                                                              • __vbaStrMove.MSVBVM60 ref: 004407D2
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004407EB
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004407F2
                                                              • __vbaStrMove.MSVBVM60 ref: 004407FD
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440811
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00440845
                                                              • __vbaFreeVar.MSVBVM60 ref: 00440854
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440869
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044087D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044088B
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044089F
                                                              • __vbaStrCopy.MSVBVM60 ref: 004408AD
                                                              • __vbaStrMove.MSVBVM60 ref: 004408CC
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 004408F4
                                                              • __vbaStrMove.MSVBVM60 ref: 00440913
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00440938
                                                              • #667.MSVBVM60(00000008), ref: 0044094B
                                                              • __vbaStrMove.MSVBVM60 ref: 00440956
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0044096F
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00440976
                                                              • __vbaStrMove.MSVBVM60 ref: 00440981
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440995
                                                              • __vbaFreeStrList.MSVBVM60(0000000B,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004409C9
                                                              • __vbaFreeVar.MSVBVM60 ref: 004409D8
                                                              • __vbaStrCopy.MSVBVM60 ref: 004409ED
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00440A01
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440A0F
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00440A23
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440A31
                                                              • __vbaStrMove.MSVBVM60 ref: 00440A50
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00440A7E
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440A8C
                                                              • __vbaStrMove.MSVBVM60 ref: 00440AAB
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?), ref: 00440AED
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00440B0E
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00440B15
                                                              • __vbaStrMove.MSVBVM60 ref: 00440B20
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440B34
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,00000000,00000000), ref: 00440B60
                                                              • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,00000008,?), ref: 00440B87
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440B9F
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00440BB3
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440BC1
                                                              • __vbaStrMove.MSVBVM60 ref: 00440BE0
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00440C0E
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00440C47
                                                              • __vbaVarAdd.MSVBVM60(00000008,00000008,?), ref: 00440C68
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00440C6F
                                                              • __vbaStrMove.MSVBVM60 ref: 00440C7A
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440C8E
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00440CAA
                                                              • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,00000008), ref: 00440CCA
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440CE2
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00440CF6
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440D04
                                                              • __vbaStrMove.MSVBVM60 ref: 00440D23
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00440D51
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00440D8A
                                                              • __vbaVarAdd.MSVBVM60(00000008,00000008,?), ref: 00440DAB
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00440DB2
                                                              • __vbaStrMove.MSVBVM60 ref: 00440DBD
                                                              • __vbaStrCopy.MSVBVM60 ref: 00440DD1
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00440DED
                                                              • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,00000008), ref: 00440E0D
                                                              • #645.MSVBVM60(00004008,00000010), ref: 00440EB4
                                                              • __vbaStrMove.MSVBVM60 ref: 00440EBF
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00440ECB
                                                              • __vbaFreeStr.MSVBVM60 ref: 00440EE3
                                                              • #645.MSVBVM60(00004008,00000010), ref: 00440F1B
                                                              • __vbaStrMove.MSVBVM60 ref: 00440F26
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00440F32
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Copy$Free$List$Error$BoundsGenerate$#667$#666Bstr$#516#631#645$#537#608#632ChkstkConstruct2
                                                              • String ID: #$09312016210C371E2A0B1C2A101277113C31$0E093100263F37$18113D39231F212F31373C060B17073F160E372B20212621$1A3512320711030B14$1E1800150533003015283904244524000C19111E3D2C3C363E01011D03$2E241A36253F1530060A3B1B222B291A00$37073025001B3F152D10172600186C3F2B0802293D14$3733100E111C$39011D371D10350C1C23290F084B112D1C1B113417162B2D2C30230529$391E3A390D06312112132131$3A0C180528370A212418183018093A1F0001$3A19231828193916122D3D32233B$3B0A0D3B560A2D260C053032583A0F3E1B3B182C37041F0C06123A3A222D05121B14467E072807022927370505470E330E0328200B$3D1B0B251B2A3A$DC-CWs$IeFhVotTPPLJndkBYsipSrJGHZUOaKJcGKrnKLQvG$JUrRoQxXIKgpOdaYkUANlOieBsrZNedw$LDRRPMpLFmtSoexjVJyVG$LuQyxAGaqVRupPVgBhdrhOUdFNiQYgVmNI$QBytzhZclYGZeHewtckpyXpPSHdmyatr$SfIlmMEoTIDsUazNprdEyf$TravSFKgEkVLzNGLnspsDaT$WkisobtVonmXFmQddOJrTFK$\ChromeMetaMaskVaultData.txt$\EdgeMetaMaskVaultData.txt$\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn$\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm$afZQaXmVAsAQWWHqYraFjNNFRnjHUIBu$agibVxfDDiwDKvPnFcgQBS$eaZyHtXCOnLvbfGBBGxdSawdoDtDeErZjqnZcuhmTt$fOyADGKVrDsLLqFJkWJUsr$ukBHJdnLIHhxB$wFWkFbrlbzQtclDHdYdbqiXsKiSiUURWSJPxrmnLSiwI
                                                              • API String ID: 566692647-3100018197
                                                              • Opcode ID: e44934935cf895ad76db129d5bad83b08f72159d4547cf5c72571fe0f8c81609
                                                              • Instruction ID: 436533d02486d5dc5a40aac620f72aa434872c7d1e7c8c92017c89d0a4411ecc
                                                              • Opcode Fuzzy Hash: e44934935cf895ad76db129d5bad83b08f72159d4547cf5c72571fe0f8c81609
                                                              • Instruction Fuzzy Hash: D403F675901218DBDB14DFE0DD88AEEB7B8FF48304F1082AAE506B7264EB745A49CF54
                                                              Function 0043D5E0 Relevance: 475.9, APIs: 238, Strings: 33, Instructions: 1669COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2339 43d5e0-43d75c __vbaChkstk __vbaAryConstruct2 __vbaOnError __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 2344 43d812-43d8cf __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 2339->2344 2345 43d762-43d80f __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove #531 __vbaFreeStrList 2339->2345 2354 43d8d1-43d8db 2344->2354 2355 43d8dd-43d8e3 __vbaGenerateBoundsError 2344->2355 2345->2344 2356 43d8e9-43da2e __vbaVarAdd * 2 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 2354->2356 2355->2356 2361 43da30-43da3a 2356->2361 2362 43da3c-43da42 __vbaGenerateBoundsError 2356->2362 2363 43da48-43db85 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 2361->2363 2362->2363 2368 43db93-43db99 __vbaGenerateBoundsError 2363->2368 2369 43db87-43db91 2363->2369 2370 43db9f-43dcf8 __vbaVarAdd * 2 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 2368->2370 2369->2370 2375 43dd06-43dd0c __vbaGenerateBoundsError 2370->2375 2376 43dcfa-43dd04 2370->2376 2377 43dd12-43ddef __vbaVarAdd * 2 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaFreeStrList __vbaFreeVarList 2375->2377 2376->2377 2379 43ea66-43ea75 2377->2379 2380 43ddf5-43df12 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2377->2380 2382 43eb75-43eca4 call 405884 Sleep __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 2379->2382 2383 43ea7b-43eb45 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove * 2 __vbaStrCat __vbaStrMove call 43c940 2379->2383 2406 43df20-43df26 __vbaGenerateBoundsError 2380->2406 2407 43df14-43df1e 2380->2407 2403 43ecaa-43ee08 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove call 43ceb0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCopy * 2 call 441a70 2382->2403 2404 43ee3c-43eebe __vbaAryDestruct 2382->2404 2399 43eb4a-43eb72 __vbaFreeStrList 2383->2399 2399->2382 2430 43ee0d-43ee39 __vbaFreeStrList 2403->2430 2409 43df2c-43e09f call 43eee0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2406->2409 2407->2409 2431 43e0a1-43e0ab 2409->2431 2432 43e0ad-43e0b3 __vbaGenerateBoundsError 2409->2432 2430->2404 2433 43e0b9-43e22c call 43eee0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2431->2433 2432->2433 2444 43e23a-43e240 __vbaGenerateBoundsError 2433->2444 2445 43e22e-43e238 2433->2445 2446 43e246-43e3b8 call 43eee0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2444->2446 2445->2446 2457 43e3c6-43e3cc __vbaGenerateBoundsError 2446->2457 2458 43e3ba-43e3c4 2446->2458 2459 43e3d2-43e545 call 43eee0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2457->2459 2458->2459 2470 43e553-43e559 __vbaGenerateBoundsError 2459->2470 2471 43e547-43e551 2459->2471 2472 43e55f-43e6d2 call 43eee0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2470->2472 2471->2472 2483 43e6e0-43e6e6 __vbaGenerateBoundsError 2472->2483 2484 43e6d4-43e6de 2472->2484 2485 43e6ec-43e85e call 43eee0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2483->2485 2484->2485 2496 43e860-43e86a 2485->2496 2497 43e86c-43e872 __vbaGenerateBoundsError 2485->2497 2498 43e878-43e9eb call 43eee0 __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 __vbaStrCat __vbaStrMove 2496->2498 2497->2498 2509 43e9f9-43e9ff __vbaGenerateBoundsError 2498->2509 2510 43e9ed-43e9f7 2498->2510 2511 43ea05-43ea1a call 43eee0 2509->2511 2510->2511 2513 43ea1f-43ea5a __vbaFreeStrList 2511->2513 2513->2379
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0043D5FE
                                                              • __vbaAryConstruct2.MSVBVM60(?,0040DF44,00000008,?,00000000,?,00000000,004037E6), ref: 0043D630
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 0043D63F
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0043D654
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 0043D668
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0043D676
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D695
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0043D6AD
                                                              • __vbaStrMove.MSVBVM60(00778314), ref: 0043D6D2
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043D6D9
                                                              • #645.MSVBVM60(00000008,00000010), ref: 0043D6F5
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D700
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0043D70C
                                                              • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,?), ref: 0043D73E
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,00000000,?,00000000,004037E6), ref: 0043D74D
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,004037E6), ref: 0043D771
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,?,00000000,004037E6), ref: 0043D785
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,004037E6), ref: 0043D793
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D7B2
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?,00778314), ref: 0043D7D0
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043D7D7
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D7E2
                                                              • #531.MSVBVM60(00000000), ref: 0043D7E9
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000000), ref: 0043D809
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,?,00000000,004037E6), ref: 0043D821
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,?,00000000,004037E6), ref: 0043D835
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043D857
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D876
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 0043D8A4
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043D8DD
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0043D8FE
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0043D913
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043D91A
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D925
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043D939
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043D955
                                                              • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043D97C
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043D994
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0043D9A8
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043D9B6
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D9D5
                                                              • #666.MSVBVM60(?,00000008), ref: 0043DA03
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043DA3C
                                                              • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 0043DA5D
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043DA64
                                                              • __vbaStrMove.MSVBVM60 ref: 0043DA6F
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DA83
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043DA9F
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?), ref: 0043DABF
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0043DAD7
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 0043DAEB
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DB0D
                                                              • __vbaStrMove.MSVBVM60 ref: 0043DB2C
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 0043DB5A
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043DB93
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0043DBB4
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0043DBC9
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043DBD0
                                                              • __vbaStrMove.MSVBVM60 ref: 0043DBDB
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DBEF
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043DC0B
                                                              • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 0043DC32
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DC4A
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0043DC5E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DC80
                                                              • __vbaStrMove.MSVBVM60 ref: 0043DC9F
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 0043DCCD
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043DD06
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0043DD27
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,00000000), ref: 0043DD3C
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043DD43
                                                              • __vbaStrMove.MSVBVM60 ref: 0043DD4E
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DD62
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043DD7E
                                                              • __vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?), ref: 0043DDA5
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DE04
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0043DE18
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DE26
                                                              • __vbaStrMove.MSVBVM60 ref: 0043DE45
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0043DE5D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DE6B
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0043DE7F
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043DE8D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Copy$Free$List$Error$#666BoundsGenerate$Bstr$#516#631$#531#537#608#632#645ChkstkConstruct2
                                                              • String ID: 00052C08$003C22$023D331B3E1B2903$041F1C1F261009$0E093100263F37$11011C1B$1B1C16$232E2F$28192F$2D170F03140562382E3E$303D27$3637133B2901$3E2611$<:"$BdSAVmCTKAmIWldErOhlS$C:\Users\$DC-FG$EjqzWLrVxWowgwCGTIPqFhycwWHtfceSKHERDUDUCD$FSJINiKUvkEBYCUVbRYho$HDESWhDOOaaGU$MXYusCcUVhQ$NFJbUBmIssjGvLVBMPJtVmLrdVBKVbzgTFIoFaSBGa$SWnvIpZdFdhunnluRjUtswWjvfDCUvPKbrjsSMMOGChj$ZdjOpovJdTh$\Desktop$\Documents$\Favorites$\Microsoft\Windows\Recent$anhudnQHbJZjtOsqxzJhTLUgxNIBrdczk$fOyADGKVrDsLLqFJkWJUsr$oimocZMoaGJpGVxaDqYDPeulierdcBcZm$rZmIQvNWQfXV$wqQfoqvLBGNjTFaeuGvPOkIpQDzsjiMJ
                                                              • API String ID: 3302702686-1470286396
                                                              • Opcode ID: 4adf282a7b8f0d98feeea9d09854028dbded8526850d2478f47ed7e02f50cc09
                                                              • Instruction ID: 1f14f782ea0800c578322140723d345aca5d3df19dcb54cee658aae56af0f3a6
                                                              • Opcode Fuzzy Hash: 4adf282a7b8f0d98feeea9d09854028dbded8526850d2478f47ed7e02f50cc09
                                                              • Instruction Fuzzy Hash: A0F2F676D002189BDB15DFE0DD88ADEB7B9FF48300F10816AE506BB264EB746A49CF54
                                                              Function 004106F0 Relevance: 434.2, APIs: 210, Strings: 37, Instructions: 1951COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6), ref: 0041070E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004037E6), ref: 00410755
                                                              • __vbaLenBstrB.MSVBVM60(0081C8FC,?,?,?,?,004037E6), ref: 0041077E
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,004037E6), ref: 004107AF
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,004037E6), ref: 004107BD
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,004037E6), ref: 004107D1
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,004037E6), ref: 004107DF
                                                              • __vbaStrMove.MSVBVM60 ref: 004107F8
                                                              • __vbaStrCopy.MSVBVM60 ref: 00410806
                                                              • __vbaStrCopy.MSVBVM60 ref: 00410814
                                                              • __vbaStrMove.MSVBVM60(00000008,?,00000000), ref: 00410863
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041086A
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0041088E
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00410895
                                                              • __vbaStrMove.MSVBVM60 ref: 004108A0
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004108A7
                                                              • __vbaStrMove.MSVBVM60 ref: 004108B2
                                                              • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004108F2
                                                                • Part of subcall function 0043C3E0: __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,0041C10F,?,00447038), ref: 0043C3FE
                                                                • Part of subcall function 0043C3E0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043C42E
                                                                • Part of subcall function 0043C3E0: #648.MSVBVM60(0000000A), ref: 0043C454
                                                                • Part of subcall function 0043C3E0: __vbaFreeVar.MSVBVM60 ref: 0043C461
                                                                • Part of subcall function 0043C3E0: __vbaFileOpen.MSVBVM60(00000220,000000FF,?), ref: 0043C480
                                                                • Part of subcall function 0043C3E0: __vbaPut3.MSVBVM60(00000000,00000000,?), ref: 0043C498
                                                                • Part of subcall function 0043C3E0: __vbaFileClose.MSVBVM60(?), ref: 0043C4AA
                                                              • __vbaStrCopy.MSVBVM60(?,00447084), ref: 0041091F
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?), ref: 00410952
                                                              • __vbaStrCopy.MSVBVM60 ref: 00410984
                                                              • __vbaStrCat.MSVBVM60(\KeyData.Log,00778314), ref: 0041099F
                                                              • __vbaStrMove.MSVBVM60 ref: 004109AA
                                                              • __vbaFreeStr.MSVBVM60(?,00447084), ref: 004109C1
                                                              • __vbaStrCopy.MSVBVM60 ref: 004109D8
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004037E6), ref: 0041092D
                                                                • Part of subcall function 00441A70: __vbaOnError.MSVBVM60(00000001), ref: 00441B0C
                                                                • Part of subcall function 00441A70: __vbaStrCopy.MSVBVM60 ref: 00441B20
                                                                • Part of subcall function 00441A70: __vbaStrMove.MSVBVM60(?), ref: 00441B36
                                                                • Part of subcall function 00441A70: __vbaStrCopy.MSVBVM60 ref: 00441B40
                                                                • Part of subcall function 00441A70: __vbaStrMove.MSVBVM60 ref: 00441B4B
                                                                • Part of subcall function 00441A70: __vbaStrMove.MSVBVM60(?,?), ref: 00441B5F
                                                                • Part of subcall function 00441A70: __vbaStrMove.MSVBVM60(00000000), ref: 00441B6B
                                                                • Part of subcall function 00441A70: #716.MSVBVM60(?,00000000), ref: 00441B72
                                                                • Part of subcall function 00441A70: __vbaVarSetVar.MSVBVM60(?,?), ref: 00441B80
                                                                • Part of subcall function 00441A70: __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00441BA0
                                                                • Part of subcall function 00441A70: __vbaStrCopy.MSVBVM60 ref: 00441BB1
                                                              • __vbaStrMove.MSVBVM60 ref: 00410875
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?,00778314), ref: 0041084C
                                                                • Part of subcall function 0043C700: __vbaStrCopy.MSVBVM60 ref: 0043C745
                                                                • Part of subcall function 0043C700: #594.MSVBVM60(?), ref: 0043C768
                                                                • Part of subcall function 0043C700: __vbaFreeVar.MSVBVM60 ref: 0043C771
                                                                • Part of subcall function 0043C700: __vbaStr2Vec.MSVBVM60(?), ref: 0043C781
                                                                • Part of subcall function 0043C700: __vbaAryMove.MSVBVM60(?,?), ref: 0043C78F
                                                                • Part of subcall function 0043C700: __vbaLenBstr.MSVBVM60 ref: 0043C798
                                                                • Part of subcall function 0043C700: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0@7@,00000000), ref: 0043C7D0
                                                                • Part of subcall function 0043C700: #593.MSVBVM60(0000000A), ref: 0043C7F3
                                                                • Part of subcall function 0043C700: __vbaFpI4.MSVBVM60 ref: 0043C81F
                                                                • Part of subcall function 0043C700: __vbaGenerateBoundsError.MSVBVM60 ref: 0043C83F
                                                              • __vbaStrMove.MSVBVM60 ref: 0041082D
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,004037E6), ref: 0041079B
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaFreeStr.MSVBVM60(00410A59,?,?,?,?,004037E6), ref: 00410A52
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$BstrList$Error$#516#631ChkstkFile$#537#593#594#608#632#648#716BoundsCloseGenerateOpenPut3RedimStr2
                                                              • String ID: .BMP$0221241430103F2002232B06$023D331B3E1B2903$03005F3E0A3207361922361920$081F2D323C2D05112C0130$1800072D34302615$2027190C241B1527$2230212B0A093E02393C$260308233B3416$2C3132260301063F$310D2E002705090721073A31$32362F320C0007$341F281E22263838250B001D05$3E04072A05$60013023$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$Add$CcHwxExaTkhtMTBsKBrbGr$DC-KL$DC-SC$FUBqncQsCkGtvXxSqEOzT$HAdMTBhyWHdenrapNTSSkypS$HkmHVYCqxMmCfihxHVfgmyA$PaTAUbfcLvF$Remove$SWnvIpZdFdhunnluRjUtswWjvfDCUvPKbrjsSMMOGChj$SqSSNogMjVHj$\KeyData.Log$\Screenshot$bDKbTpQRtpDKIZdGUKbPtnt$cwmQnVIoYIgeivSWQlzjTYR$dAniDeDzrLbfCnmoSWCNNMYg$eySVvmtfLYKdCKkMdKGxtF$jNuHWFSDAlsjqPJuIkybOjYMzMocaYBOQWRxaRTpRDs$oelgHRQeOLF$uxmkOvwJEOsp$7@
                                                              • API String ID: 130171941-2051818101
                                                              • Opcode ID: 08495813ac10538d5e1e352abcb6270f8e676c35fc30d64f47d5b4496255ae50
                                                              • Instruction ID: 9ae084659a1a57630dc22acedebdd74e498a3b1898039550e395d744e81f3a90
                                                              • Opcode Fuzzy Hash: 08495813ac10538d5e1e352abcb6270f8e676c35fc30d64f47d5b4496255ae50
                                                              • Instruction Fuzzy Hash: 2113FB75900218DFDB14DFA4D948BDEBBB5FF48304F1081AAE506B72A0DB745A89CFA4
                                                              Function 00443530 Relevance: 342.4, APIs: 176, Strings: 19, Instructions: 1169COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2778 443530-443715 __vbaChkstk __vbaOnError __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaVarAdd __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2783 4448e3-4449c4 __vbaAryUnlock __vbaFreeVar __vbaAryDestruct __vbaFreeVar __vbaFreeStr __vbaFreeVar * 3 __vbaFreeStr __vbaFreeVar 2778->2783 2784 44371b-443794 __vbaStrCat __vbaStrMove call 438f20 __vbaAryMove __vbaFreeStr 2778->2784 2788 443796 2784->2788 2789 44379b-4437c9 __vbaForEachAry 2784->2789 2788->2783 2790 4448d6-4448dd 2789->2790 2790->2783 2791 4437ce-443927 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 2790->2791 2796 44392d-443b05 #716 __vbaVarZero __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCat __vbaVarCat __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeStrList __vbaFreeVarList 2791->2796 2797 4448af-4448d0 __vbaNextEachAry 2791->2797 2802 443e53-443ec3 __vbaStrCat __vbaStrMove __vbaStrToAnsi call 409d84 __vbaSetSystemError __vbaFreeStrList 2796->2802 2803 443b0b-443b84 __vbaStrCat __vbaStrMove call 4432f0 __vbaFreeStr __vbaStrCopy call 443130 __vbaFreeStr 2796->2803 2797->2790 2808 444857-444867 call 409dd0 __vbaSetSystemError 2802->2808 2809 443ec9-443f90 __vbaStrToAnsi * 2 call 409e1c __vbaSetSystemError __vbaStrToUnicode __vbaVarMove __vbaFreeStrList call 409eb8 __vbaSetSystemError #558 2802->2809 2814 443b8a-443bad call 40a014 __vbaSetSystemError 2803->2814 2817 44486d-4448a9 __vbaStrCat #529 __vbaFreeVar 2808->2817 2824 443f96-443fbb call 409eb8 __vbaSetSystemError 2809->2824 2825 444197-44425e __vbaStrToAnsi * 2 call 409e1c __vbaSetSystemError __vbaStrToUnicode __vbaVarMove __vbaFreeStrList call 409eb8 __vbaSetSystemError #558 2809->2825 2822 443c1d-443c51 __vbaStrCopy call 443130 __vbaFreeStr 2814->2822 2823 443baf-443c18 call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 2814->2823 2817->2797 2835 443c57-443c7a call 40a014 __vbaSetSystemError 2822->2835 2823->2814 2836 443fc1-443fff __vbaI2I4 2824->2836 2837 4449d9-4449df __vbaErrorOverflow 2824->2837 2841 444264-444289 call 409eb8 __vbaSetSystemError 2825->2841 2842 444465-44452c __vbaStrToAnsi * 2 call 409e1c __vbaSetSystemError __vbaStrToUnicode __vbaVarMove __vbaFreeStrList call 409eb8 __vbaSetSystemError #558 2825->2842 2846 443c80-443d47 call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 2835->2846 2847 443d4c-443d80 __vbaStrCopy call 443130 __vbaFreeStr 2835->2847 2836->2825 2844 444005-4440ff __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 2836->2844 2841->2837 2857 44428f-4442cd __vbaI2I4 2841->2857 2842->2808 2864 444532-444557 call 409eb8 __vbaSetSystemError 2842->2864 2848 444105-444188 __vbaVarAdd __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 2844->2848 2849 44418b 2844->2849 2846->2835 2860 443d86-443da9 call 40a014 __vbaSetSystemError 2847->2860 2848->2849 2849->2825 2857->2842 2866 4442d3-4443cd __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq __vbaVarNot __vbaBoolVarNull 2857->2866 2872 443e19-443e4e call 409fcc __vbaSetSystemError call 443380 2860->2872 2873 443dab-443e14 call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 2860->2873 2864->2837 2874 44455d-44459b __vbaI2I4 2864->2874 2869 4443d3-444456 __vbaVarAdd __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 2866->2869 2870 444459 2866->2870 2869->2870 2870->2842 2872->2817 2873->2860 2874->2808 2880 4445a1-444775 __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaChkstk * 2 __vbaVarIndexLoad __vbaVarMove __vbaVarCmpEq * 2 __vbaVarOr __vbaBoolVarNull 2874->2880 2882 444777 2880->2882 2883 44477c-444848 __vbaVarAdd * 3 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 2880->2883 2885 44484b 2882->2885 2883->2885 2885->2808
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6,00443400,?,00000000,?,00000000,004037E6), ref: 0044354E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6,00443400), ref: 0044357E
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6,00443400), ref: 00443596
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,004037E6,00443400), ref: 004435B0
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6,00443400), ref: 004435C1
                                                              • __vbaStrMove.MSVBVM60 ref: 004435E9
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • #666.MSVBVM60(?,00000008,?,?,?,?,?,?), ref: 00443620
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0044364F
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00443656
                                                              • __vbaStrMove.MSVBVM60 ref: 00443661
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 00443685
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000,?,00000000,004037E6,00443400), ref: 004436A5
                                                              • #645.MSVBVM60(00004008,00000010), ref: 004436D1
                                                              • __vbaStrMove.MSVBVM60 ref: 004436DF
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 004436EB
                                                              • __vbaFreeStr.MSVBVM60 ref: 00443706
                                                              • __vbaStrCat.MSVBVM60(0040654C,?), ref: 0044373B
                                                              • __vbaStrMove.MSVBVM60 ref: 00443749
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438F3E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438F6E
                                                                • Part of subcall function 00438890: #645.MSVBVM60(00004008,00000010), ref: 00438F95
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00438FA0
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(00405E48,?), ref: 00438FC3
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040651C,?), ref: 00438FE1
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040D734,?), ref: 00438FF7
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043901D
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00439028
                                                                • Part of subcall function 00438890: #579.MSVBVM60(00000000), ref: 0043902F
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60 ref: 00439049
                                                                • Part of subcall function 00438890: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 00439078
                                                              • __vbaAryMove.MSVBVM60(00447070,?,?,00447064), ref: 00443772
                                                              • __vbaFreeStr.MSVBVM60 ref: 0044377E
                                                              • __vbaForEachAry.MSVBVM60(00000008,?,?,?,00000000), ref: 004437BD
                                                              • __vbaAryUnlock.MSVBVM60(?,004449C5), ref: 00444961
                                                              • __vbaFreeVar.MSVBVM60 ref: 0044496D
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0044497C
                                                              • __vbaFreeVar.MSVBVM60 ref: 00444985
                                                              • __vbaFreeStr.MSVBVM60 ref: 0044498E
                                                              • __vbaFreeVar.MSVBVM60 ref: 00444997
                                                              • __vbaFreeVar.MSVBVM60 ref: 004449A0
                                                              • __vbaFreeVar.MSVBVM60 ref: 004449A9
                                                              • __vbaFreeStr.MSVBVM60 ref: 004449B2
                                                              • __vbaFreeVar.MSVBVM60 ref: 004449BE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$Move$BstrList$#516#631#645ChkstkCopyError$#537#579#608#632#666DestructEachPreserveRedimUnlock
                                                              • String ID: 0E093100263F37$310E3D280B070074292B293927102A144A120F6A09322B253335$CopyFile$E$HmiQGiflYDNZJFwOggvmDzCGLGPoHpCRW$SELECT c3author, c4recipients FROM messagesText_content$SELECT name FROM contacts$SELECT name FROM contacts$SELECT value FROM identities$SELECT value FROM identities$Scripting.FileSystemObject$\LogabacusesxBGTaeIfvTUzjaQgHAWxNnWeaZsQuFodevotionality$\Thunderbird\Profiles$c3author$c4recipients$d$fOyADGKVrDsLLqFJkWJUsr$name$value
                                                              • API String ID: 1793064488-148280627
                                                              • Opcode ID: 80d2cea760e0cc46325095d101054d69b655c36cdb88daf839dea90cabef7da7
                                                              • Instruction ID: 2a02a8a488678d7db050b57f1fe66dfdb0c12db71c1b88b9f4c10bce32505f2b
                                                              • Opcode Fuzzy Hash: 80d2cea760e0cc46325095d101054d69b655c36cdb88daf839dea90cabef7da7
                                                              • Instruction Fuzzy Hash: 9CC22BB5900219DFDB24DFA0CD48BDEB7B9BF48304F1081EAE50AA7251DB745A89CF64
                                                              Function 00441A70 Relevance: 296.8, APIs: 134, Strings: 35, Instructions: 1049COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2886 441a70-441bb7 __vbaOnError __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 #716 __vbaVarSetVar __vbaFreeStrList __vbaStrCopy call 438890 2892 441bbc-441fa3 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaVarLateMemSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCat __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaVarCat * 5 __vbaVarLateMemSt __vbaFreeStrList __vbaFreeVarList __vbaVarLateMemSt #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2886->2892 2907 441fa9-442438 __vbaObjVar __vbaLateMemCall 2892->2907 2908 44243b-442b60 __vbaVarLateMemCallLd __vbaVarSetVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 __vbaVarLateMemCallSt __vbaFreeStrList __vbaFreeVarList __vbaVarLateMemCallLdRf __vbaObjVar __vbaLateMemCall __vbaFreeVar __vbaObjVar __vbaLateMemCall #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2892->2908 2907->2908 2950 442b62-442ba1 __vbaVarDup #529 __vbaFreeVar __vbaExitProc 2908->2950 2951 442bbf-442bca __vbaExitProc 2908->2951 2952 442c40-442c50 __vbaFreeVar * 2 2950->2952 2951->2952
                                                              APIs
                                                              • __vbaOnError.MSVBVM60(00000001), ref: 00441B0C
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441B20
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00441B36
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441B40
                                                              • __vbaStrMove.MSVBVM60 ref: 00441B4B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00441B5F
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 00441B6B
                                                              • #716.MSVBVM60(?,00000000), ref: 00441B72
                                                              • __vbaVarSetVar.MSVBVM60(?,?), ref: 00441B80
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00441BA0
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441BB1
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00441BC1
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441BCB
                                                              • __vbaStrMove.MSVBVM60 ref: 00441BD6
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?,00406544), ref: 00441BEF
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00441BF2
                                                              • __vbaStrMove.MSVBVM60 ref: 00441BFD
                                                              • __vbaStrCat.MSVBVM60(00406544,00000000), ref: 00441C05
                                                              • __vbaVarLateMemSt.MSVBVM60(?,From), ref: 00441C35
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00441C55
                                                              • __vbaFreeVar.MSVBVM60 ref: 00441C61
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441C6F
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00441C7F
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441C89
                                                              • __vbaStrMove.MSVBVM60 ref: 00441C94
                                                              • __vbaVarLateMemSt.MSVBVM60(?,0040ECA0), ref: 00441CCD
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00441CE5
                                                              • __vbaFreeVar.MSVBVM60 ref: 00441CF1
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441CFF
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00441D0F
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441D19
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00441D29
                                                              • __vbaStrCat.MSVBVM60(:::,00000000), ref: 00441D36
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441D54
                                                              • __vbaStrMove.MSVBVM60 ref: 00441D5F
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00441D80
                                                              • __vbaStrCopy.MSVBVM60 ref: 00441DA2
                                                              • __vbaStrMove.MSVBVM60 ref: 00441DAD
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00441DDA
                                                              • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 00441E19
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 00441E2E
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00441E43
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00441E58
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00441E6D
                                                              • __vbaVarLateMemSt.MSVBVM60(?,Subject), ref: 00441E97
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 00441EBF
                                                              • __vbaFreeVarList.MSVBVM60(0000000A,00000008,00000008,?,?,00000008,?,?,?,?,?), ref: 00441F07
                                                              • __vbaVarLateMemSt.MSVBVM60(?,TextBody), ref: 00441F4B
                                                              • #645.MSVBVM60(00004008,00000000), ref: 00441F6C
                                                              • __vbaStrMove.MSVBVM60 ref: 00441F77
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00441F7F
                                                              • __vbaFreeStr.MSVBVM60 ref: 00441F96
                                                              • __vbaObjVar.MSVBVM60(?,AddAttachment,00000001), ref: 0044242B
                                                              • __vbaLateMemCall.MSVBVM60(00000000), ref: 00442432
                                                              • __vbaVarLateMemCallLd.MSVBVM60(00000008,?,Configuration,00000000), ref: 00442449
                                                              • __vbaVarSetVar.MSVBVM60(?,00000000), ref: 00442457
                                                              • __vbaStrCopy.MSVBVM60 ref: 00442465
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00442475
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044247F
                                                              • __vbaStrMove.MSVBVM60 ref: 0044248A
                                                              • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 004424FE
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00442516
                                                              • __vbaFreeVar.MSVBVM60 ref: 00442522
                                                              • __vbaStrCopy.MSVBVM60 ref: 00442530
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00442540
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044254A
                                                              • __vbaStrMove.MSVBVM60 ref: 00442555
                                                              • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 004425CC
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004425E4
                                                              • __vbaFreeVar.MSVBVM60 ref: 004425F0
                                                              • __vbaStrCopy.MSVBVM60 ref: 004425FE
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044260E
                                                              • __vbaStrCopy.MSVBVM60 ref: 00442618
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00442628
                                                              • __vbaStrCopy.MSVBVM60 ref: 00442632
                                                              • __vbaStrMove.MSVBVM60 ref: 0044263D
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 0044265E
                                                              • __vbaStrMove.MSVBVM60 ref: 00442669
                                                              • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 004426C2
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 004426EA
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 004426FD
                                                              • __vbaStrCopy.MSVBVM60 ref: 0044270E
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0044271E
                                                              • __vbaStrCopy.MSVBVM60 ref: 00442728
                                                              • __vbaStrMove.MSVBVM60 ref: 00442733
                                                              • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 004427AA
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004427C2
                                                              • __vbaFreeVar.MSVBVM60 ref: 004427CE
                                                              • __vbaStrCopy.MSVBVM60 ref: 004427DC
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004427EC
                                                              • __vbaStrCopy.MSVBVM60 ref: 004427F6
                                                              • __vbaStrMove.MSVBVM60 ref: 00442801
                                                              • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 00442878
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00442890
                                                              • __vbaFreeVar.MSVBVM60 ref: 0044289C
                                                              • __vbaStrCopy.MSVBVM60 ref: 004428AA
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004428BA
                                                              • __vbaStrCopy.MSVBVM60 ref: 004428C4
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004428D4
                                                              • __vbaStrCopy.MSVBVM60 ref: 004428DE
                                                              • __vbaStrMove.MSVBVM60 ref: 004428E9
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 0044290A
                                                              • __vbaStrMove.MSVBVM60 ref: 00442915
                                                              • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 0044296E
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 00442996
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 004429A9
                                                              • __vbaStrCopy.MSVBVM60 ref: 004429BA
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004429CA
                                                              • __vbaStrCopy.MSVBVM60 ref: 004429D4
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004429E4
                                                              • __vbaStrCopy.MSVBVM60 ref: 004429EE
                                                              • __vbaStrMove.MSVBVM60 ref: 004429F9
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00442A1A
                                                              • __vbaStrMove.MSVBVM60 ref: 00442A25
                                                              • __vbaVarLateMemCallSt.MSVBVM60(?,Fields,00000001), ref: 00442A7C
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 00442AA4
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000008,00000008), ref: 00442AB7
                                                              • __vbaVarLateMemCallLdRf.MSVBVM60(00000008,?,Fields,00000000,Update,00000000), ref: 00442AD4
                                                              • __vbaObjVar.MSVBVM60(00000000), ref: 00442ADE
                                                              • __vbaLateMemCall.MSVBVM60(00000000), ref: 00442AEB
                                                              • __vbaFreeVar.MSVBVM60 ref: 00442AF3
                                                              • __vbaObjVar.MSVBVM60(?,Send,00000000), ref: 00442B03
                                                              • __vbaLateMemCall.MSVBVM60(00000000), ref: 00442B0A
                                                              • #645.MSVBVM60(00004008,00000000), ref: 00442B31
                                                              • __vbaStrMove.MSVBVM60 ref: 00442B3C
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00442B44
                                                              • __vbaFreeStr.MSVBVM60 ref: 00442B57
                                                              • __vbaVarDup.MSVBVM60 ref: 00442B7D
                                                              • #529.MSVBVM60(00000008), ref: 00442B87
                                                              • __vbaFreeVar.MSVBVM60 ref: 00442B90
                                                              • __vbaExitProc.MSVBVM60 ref: 00442B96
                                                              • __vbaExitProc.MSVBVM60 ref: 00442BBF
                                                              • __vbaFreeVar.MSVBVM60(00442C51), ref: 00442C49
                                                              • __vbaFreeVar.MSVBVM60 ref: 00442C4E
                                                              Strings
                                                              • TextBody, xrefs: 00441F42
                                                              • 1E13320473566139303C37380217482A130416253C0C0E164734213F48061737442E0D2F002D0225283B020E291A660A2B2437212130110A072A1F, xrefs: 004428A2
                                                              • OVpwhTEwSObOULnodtVEQB, xrefs: 00442542
                                                              • ZvgFtIyNJSTRUcdfGzgdJOchbiWNRgesXkMbAfDePZ, xrefs: 004428D6
                                                              • Update, xrefs: 00442AC1
                                                              • SWnvIpZdFdhunnluRjUtswWjvfDCUvPKbrjsSMMOGChj, xrefs: 00441D9A
                                                              • uLwRUmbTMhuNmvuIiWjBbl, xrefs: 004429E6
                                                              • dAniDeDzrLbfCnmoSWCNNMYg, xrefs: 00441D4C
                                                              • GLDcmClTvjUntsBhMxbypsOgYKYlXiE, xrefs: 00442477
                                                              • 70721F413F5C2B283A412A04, xrefs: 004429CC
                                                              • MUCZwQadUGrjyopBZySTqBNtvNNwnjKbwmjYHQlQGL, xrefs: 00441BC3, 00441C81, 00442656, 00442902, 00442A12
                                                              • 3E0403186E6A58202C0A2A382D1D41091D35373E31203004590B3B2858302B0D60362300090D132337303626391E581B393107323A162730221A0607152220, xrefs: 00442528
                                                              • 2A071E366F7F6D24091B283C0C026907193118013D2C28365D0929387F2133055C2E3E03172E0D05200B1A272C206D000732252327251C163F, xrefs: 004425F6
                                                              • Fields, xrefs: 004424F5, 004425C3, 004426B9, 004427A1, 0044286F, 00442965, 00442A73, 00442AC7
                                                              • 0221241430103F2002232B06, xrefs: 00441CF7
                                                              • 11373F672F333F353B3427, xrefs: 00441B12
                                                              • AddAttachment, xrefs: 00442422
                                                              • From, xrefs: 00441C2C
                                                              • Configuration, xrefs: 0044243C
                                                              • :::, xrefs: 00441D31
                                                              • 0F07102873445906010312211702563F380E3E09251D1F226F311B1E770D002B7A0F07231704172D27020D0E1C0A773A060205110E053A1303083D2319, xrefs: 00442706
                                                              • gRspIbVLFZSBAvreWajPoQxpgwmeFTPkei, xrefs: 00441B38
                                                              • 25362814390017306913091A00052C2E0A1335192E2F1017602D1803, xrefs: 00441BA9, 00441C67, 004428BC
                                                              • NBsjFUPBWjsMQmqGjpRjnNC, xrefs: 0044262A
                                                              • Le@, xrefs: 004424E1
                                                              • tiLBnnBeNqXp, xrefs: 004427EE
                                                              • 24032625574D7B3E0B1D2B00170667043E09300D1F1A2A037C36020F7B2E0C1A610E191B2F00301F3003181C23197D26080C303D09063D1A19072D, xrefs: 004429B2
                                                              • 3822331B7F000C3926160B570C1F2F, xrefs: 00442610
                                                              • 023D331B3E1B2903, xrefs: 00441D11
                                                              • Send, xrefs: 00442AFA
                                                              • 0138361E546D4A3D12301519083F6C030721172102371600472F2D03412101215E3B1F1A0F25251B1C2311271E365F070438321B1D27163D1D, xrefs: 004427D4
                                                              • Subject, xrefs: 00441E8E
                                                              • 2430171D79437B05093D0B191231462011010B1F0020012D653A0335462623236B00022D0A3D111F270F001A2D06620B071714063C0E372C, xrefs: 0044245D
                                                              • ygsdXIkvubkwLvqxRQmLfVryVARtsXndDUlhMqmpXUc, xrefs: 00442720
                                                              • (4@, xrefs: 00441F51, 00442B16, 004423EE
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$List$Late$Call$Bstr$#516#631#645#666ExitProc$#529#537#608#632#716Error
                                                              • String ID: (4@$0138361E546D4A3D12301519083F6C030721172102371600472F2D03412101215E3B1F1A0F25251B1C2311271E365F070438321B1D27163D1D$0221241430103F2002232B06$023D331B3E1B2903$0F07102873445906010312211702563F380E3E09251D1F226F311B1E770D002B7A0F07231704172D27020D0E1C0A773A060205110E053A1303083D2319$11373F672F333F353B3427$1E13320473566139303C37380217482A130416253C0C0E164734213F48061737442E0D2F002D0225283B020E291A660A2B2437212130110A072A1F$24032625574D7B3E0B1D2B00170667043E09300D1F1A2A037C36020F7B2E0C1A610E191B2F00301F3003181C23197D26080C303D09063D1A19072D$2430171D79437B05093D0B191231462011010B1F0020012D653A0335462623236B00022D0A3D111F270F001A2D06620B071714063C0E372C$25362814390017306913091A00052C2E0A1335192E2F1017602D1803$2A071E366F7F6D24091B283C0C026907193118013D2C28365D0929387F2133055C2E3E03172E0D05200B1A272C206D000732252327251C163F$3822331B7F000C3926160B570C1F2F$3E0403186E6A58202C0A2A382D1D41091D35373E31203004590B3B2858302B0D60362300090D132337303626391E581B393107323A162730221A0607152220$70721F413F5C2B283A412A04$:::$AddAttachment$Configuration$Fields$From$GLDcmClTvjUntsBhMxbypsOgYKYlXiE$Le@$MUCZwQadUGrjyopBZySTqBNtvNNwnjKbwmjYHQlQGL$NBsjFUPBWjsMQmqGjpRjnNC$OVpwhTEwSObOULnodtVEQB$SWnvIpZdFdhunnluRjUtswWjvfDCUvPKbrjsSMMOGChj$Send$Subject$TextBody$Update$ZvgFtIyNJSTRUcdfGzgdJOchbiWNRgesXkMbAfDePZ$dAniDeDzrLbfCnmoSWCNNMYg$gRspIbVLFZSBAvreWajPoQxpgwmeFTPkei$tiLBnnBeNqXp$uLwRUmbTMhuNmvuIiWjBbl$ygsdXIkvubkwLvqxRQmLfVryVARtsXndDUlhMqmpXUc
                                                              • API String ID: 3321761847-3651620832
                                                              • Opcode ID: 4c14cf852d888024d3a7001f0b3bf9c7426cc8a87ff2928a66e89963a9060b16
                                                              • Instruction ID: bbc2f57902a466ed8fecf2850e197c5015cc8b6821a463290bdb240b3bc6e55c
                                                              • Opcode Fuzzy Hash: 4c14cf852d888024d3a7001f0b3bf9c7426cc8a87ff2928a66e89963a9060b16
                                                              • Instruction Fuzzy Hash: 5CA2EBB1D102189BCB14DFE4CD849DEBBB9FF48300F14866EE506A7254EB745A4ACF94
                                                              Function 00436740 Relevance: 245.9, APIs: 119, Strings: 21, Instructions: 876COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2953 436740-436aca __vbaChkstk __vbaOnError __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaVarAdd __vbaStrVarMove __vbaStrMove call 438f20 __vbaAryMove __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaVarAdd __vbaStrVarMove __vbaStrMove call 438f20 __vbaAryMove __vbaFreeStrList __vbaFreeVarList #526 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrToAnsi call 40567c __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr #616 __vbaStrMove __vbaLenBstr #709 2968 436ad0-436c0e #619 __vbaStrVarVal #712 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat #645 __vbaStrMove __vbaStrCmp #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 2953->2968 2969 43755b-437561 __vbaErrorOverflow 2953->2969 2970 436c10-436c20 2968->2970 2971 436c25-436c9b __vbaVarDup #645 __vbaStrMove __vbaStrCmp __vbaFreeStr __vbaFreeVar 2968->2971 2972 436ec3-4371b8 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaVarAdd * 2 __vbaVarCat * 2 __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 2970->2972 2971->2972 2973 436ca1-436d1d __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove 2971->2973 2997 4371ba-4371c7 #531 2972->2997 2998 4371cd-43720c call 416af0 call 445870 __vbaStrMove call 4433a0 2972->2998 2983 436d3b 2973->2983 2984 436d1f-436d39 __vbaNew2 2973->2984 2986 436d45-436dfe __vbaChkstk * 2 2983->2986 2984->2986 2991 436e23 2986->2991 2992 436e00-436e21 __vbaHresultCheckObj 2986->2992 2994 436e2d-436ebd __vbaVar2Vec __vbaAryMove __vbaFreeStrList __vbaFreeVarList __vbaFileOpen __vbaPutOwner3 __vbaFileClose 2991->2994 2992->2994 2994->2972 2997->2998 3005 43722a 2998->3005 3006 43720e-437228 __vbaNew2 2998->3006 3007 437234-437284 __vbaObjSet 3005->3007 3006->3007 3010 437286-4372a7 __vbaHresultCheckObj 3007->3010 3011 4372a9 3007->3011 3012 4372b3-4372ca __vbaFreeObj 3010->3012 3011->3012 3013 4372e8 3012->3013 3014 4372cc-4372e6 __vbaNew2 3012->3014 3015 4372f2-437342 __vbaObjSet 3013->3015 3014->3015 3018 437367 3015->3018 3019 437344-437365 __vbaHresultCheckObj 3015->3019 3020 437371-43739d __vbaFreeObj call 43d5e0 call 43fb30 call 43f2b0 3018->3020 3019->3020 3026 4373a2-4373c9 __vbaFreeVar 3020->3026 3027 4373e7 3026->3027 3028 4373cb-4373e5 __vbaNew2 3026->3028 3029 4373f1-43743e __vbaObjSet 3027->3029 3028->3029 3032 437463 3029->3032 3033 437440-437461 __vbaHresultCheckObj 3029->3033 3034 43746d-437549 __vbaFreeObj __vbaAryDestruct * 3 3032->3034 3033->3034
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6,00411143), ref: 0043675E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6,00411143), ref: 0043678E
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004037E6,00411143), ref: 004367A3
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004037E6,00411143), ref: 004367B7
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004037E6,00411143), ref: 004367C5
                                                              • __vbaStrMove.MSVBVM60 ref: 004367E4
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • #666.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00436809
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0043683E
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00436845
                                                              • __vbaStrMove.MSVBVM60 ref: 00436850
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438F3E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438F6E
                                                                • Part of subcall function 00438890: #645.MSVBVM60(00004008,00000010), ref: 00438F95
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00438FA0
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(00405E48,?), ref: 00438FC3
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040651C,?), ref: 00438FE1
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040D734,?), ref: 00438FF7
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043901D
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00439028
                                                                • Part of subcall function 00438890: #579.MSVBVM60(00000000), ref: 0043902F
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60 ref: 00439049
                                                                • Part of subcall function 00438890: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 00439078
                                                              • __vbaAryMove.MSVBVM60(0044705C,?,?,0000FFFF), ref: 00436878
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00436894
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,004037E6,00411143), ref: 004368AE
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004037E6,00411143), ref: 004368C6
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,004037E6,00411143), ref: 004368DA
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,004037E6,00411143), ref: 004368E8
                                                              • __vbaStrMove.MSVBVM60 ref: 00436907
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • #666.MSVBVM60(?,00000008), ref: 0043692C
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00436961
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00436968
                                                              • __vbaStrMove.MSVBVM60 ref: 00436973
                                                                • Part of subcall function 00438890: __vbaGenerateBoundsError.MSVBVM60 ref: 004390B8
                                                                • Part of subcall function 00438890: __vbaGenerateBoundsError.MSVBVM60 ref: 004390CC
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(?), ref: 004390DF
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 004390EA
                                                                • Part of subcall function 00438890: __vbaStrCopy.MSVBVM60 ref: 004390FB
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60 ref: 00439104
                                                                • Part of subcall function 00438890: #645.MSVBVM60(0000000A,00000000), ref: 0043914D
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00439158
                                                                • Part of subcall function 00438890: __vbaFreeVar.MSVBVM60 ref: 00439161
                                                                • Part of subcall function 00438890: __vbaAryMove.MSVBVM60(?,?), ref: 0043917B
                                                                • Part of subcall function 00438890: __vbaAryDestruct.MSVBVM60(00000000,?,004391C7), ref: 004391B7
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60 ref: 004391C0
                                                              • __vbaAryMove.MSVBVM60(00447060,?,?,0000FFFF), ref: 0043699B
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 004369B7
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?), ref: 004369D1
                                                              • #526.MSVBVM60(?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 004369EA
                                                              • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 004369F4
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00436A01
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00436A0A
                                                              • __vbaStrToAnsi.MSVBVM60(?,00759374,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 00436A26
                                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00436A38
                                                              • __vbaStrToUnicode.MSVBVM60(00447028,?,?,?,?,?,?,?,?,?,?,?), ref: 00436A47
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00436A5B
                                                              • #616.MSVBVM60(00759374,00000013,?,?,?,?,?,?,?,?,?,?), ref: 00436A76
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00436A83
                                                              • __vbaLenBstr.MSVBVM60(00759374), ref: 00436AAA
                                                              • #709.MSVBVM60(00759374,0040654C,000000FF,00000000), ref: 00436AC2
                                                              • #619.MSVBVM60(?,00004008,00000000), ref: 00436ADC
                                                              • __vbaStrVarVal.MSVBVM60(?,?,00405E48,00000001,000000FF,00000000), ref: 00436AF5
                                                              • #712.MSVBVM60(00759374,00000000), ref: 00436B02
                                                              • __vbaStrMove.MSVBVM60 ref: 00436B0D
                                                              • __vbaStrCat.MSVBVM60(\winsqlite3.dll,00759374), ref: 00436B1F
                                                              • __vbaStrMove.MSVBVM60 ref: 00436B48
                                                              • __vbaStrCat.MSVBVM60(SysWOW64\winsqlite3.dll,00000000), ref: 00436B54
                                                              • #645.MSVBVM60(00000008,00000000), ref: 00436B6D
                                                              • __vbaStrMove.MSVBVM60 ref: 00436B78
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00436B84
                                                              • #645.MSVBVM60(00000008,00000000), ref: 00436B9D
                                                              • __vbaStrMove.MSVBVM60 ref: 00436BA8
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00436BB4
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00436BE2
                                                              • __vbaFreeVarList.MSVBVM60(00000003,00000008,?,?), ref: 00436BFC
                                                              • __vbaVarDup.MSVBVM60 ref: 00436C49
                                                              • #645.MSVBVM60(00000008,00000000), ref: 00436C55
                                                              • __vbaStrMove.MSVBVM60 ref: 00436C60
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00436C6C
                                                              • __vbaFreeStr.MSVBVM60 ref: 00436C83
                                                              • __vbaFreeVar.MSVBVM60 ref: 00436C8C
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436CB7
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00436CCB
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436CD9
                                                              • __vbaStrMove.MSVBVM60 ref: 00436CF8
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00436D10
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4), ref: 00436D29
                                                              • __vbaChkstk.MSVBVM60(?), ref: 00436D90
                                                              • __vbaChkstk.MSVBVM60(?), ref: 00436DB3
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436ED2
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00436EE6
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436EF4
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00436F08
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436F16
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00436F2A
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436F38
                                                              • __vbaStrMove.MSVBVM60 ref: 00436F57
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00436F7C
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436F9E
                                                              • __vbaStrMove.MSVBVM60 ref: 00436FBD
                                                              • #666.MSVBVM60(?,00000008,00000000,?), ref: 00436FEE
                                                              • __vbaStrCopy.MSVBVM60 ref: 00437010
                                                              • __vbaStrMove.MSVBVM60 ref: 0043702F
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00437060
                                                              • __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 00437078
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000000), ref: 0043708D
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000), ref: 004370A2
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004370B7
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004370BE
                                                              • __vbaStrMove.MSVBVM60 ref: 004370CB
                                                              • __vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 00437103
                                                              • __vbaFreeVarList.MSVBVM60(0000000A,00000008,?,00000008,?,?,?,?,?,?,?), ref: 0043714E
                                                              • #645.MSVBVM60(00004008,00000010), ref: 0043717B
                                                              • __vbaStrMove.MSVBVM60 ref: 00437186
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00437192
                                                              • __vbaFreeStr.MSVBVM60 ref: 004371A9
                                                              • #531.MSVBVM60(00778314), ref: 004371C7
                                                              • __vbaStrMove.MSVBVM60 ref: 004371EC
                                                              • __vbaNew2.MSVBVM60(00404B2C,hIv), ref: 00437218
                                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00437252
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D6FC,00000064), ref: 0043729B
                                                              • __vbaFreeObj.MSVBVM60 ref: 004372B6
                                                              • __vbaNew2.MSVBVM60(00404B2C,hIv), ref: 004372D6
                                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00437310
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D6FC,00000064), ref: 00437359
                                                              • __vbaFreeObj.MSVBVM60 ref: 00437374
                                                              • __vbaFreeVar.MSVBVM60(00000008), ref: 004373A5
                                                              • __vbaNew2.MSVBVM60(00404B2C,hIv), ref: 004373D5
                                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043740F
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D6FC,0000005C), ref: 00437455
                                                              • __vbaFreeObj.MSVBVM60 ref: 00437470
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,0043754A), ref: 00437528
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00437537
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00437543
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 0043755B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$List$#645Error$#666$BstrChkstkDestructNew2$CheckHresult$#516#631BoundsGenerate$#526#531#537#579#608#616#619#632#709#712AnsiOverflowPreserveRedimSystemUnicode
                                                              • String ID: $$pD$$pD$(pD$(pD$0221241430103F2002232B06$023D331B3E1B2903$08223F36063F$0E093100263F37$391E3A390D06312112132131$BKwlbIryKFShrVwfvbmrdtLPwjDEtWc$C:\Users\Public\Libraries\vbsqlite3.dll$LuQyxAGaqVRupPVgBhdrhOUdFNiQYgVmNI$SWnvIpZdFdhunnluRjUtswWjvfDCUvPKbrjsSMMOGChj$SysWOW64\winsqlite3.dll$XpD$\Microsoft\Windows\Templates\$\winsqlite3.dll$dAniDeDzrLbfCnmoSWCNNMYg$fOyADGKVrDsLLqFJkWJUsr$hIv
                                                              • API String ID: 3803378301-2786916344
                                                              • Opcode ID: 2208498381c2bd6044abf440549c27c79137960fb2aac9143214c1d5c797cb22
                                                              • Instruction ID: 36be2e204cbef8f2f7c74faa0a989ad708dde6e82c3026597a13f8a1e124d70c
                                                              • Opcode Fuzzy Hash: 2208498381c2bd6044abf440549c27c79137960fb2aac9143214c1d5c797cb22
                                                              • Instruction Fuzzy Hash: EF822BB5900218EFDB14DFA0DD88BDEBBB4FB48304F1085A9E546B72A0DB745A89CF54
                                                              Function 00438890 Relevance: 191.6, APIs: 104, Strings: 5, Instructions: 853COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3036 438890-4388f3 __vbaLenBstr 3037 4388f8-4388fe 3036->3037 3038 4389a6-4389dd 3037->3038 3039 438904-438998 #632 __vbaVarCat __vbaI4ErrVar #537 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStr __vbaFreeVarList 3037->3039 3040 4389f4-438aa1 __vbaErrorOverflow __vbaChkstk __vbaOnError __vbaVarVargNofree __vbaVarSub __vbaI2Var 3039->3040 3041 43899a-4389a1 3039->3041 3044 438ab8-438ac3 3040->3044 3041->3037 3045 438ba7-438bb8 3044->3045 3046 438ac9-438ada 3044->3046 3047 438ae0-438af5 3046->3047 3048 438bcc-438c41 __vbaErrorOverflow __vbaChkstk __vbaOnError 3046->3048 3047->3048 3050 438afb-438ba2 __vbaChkstk * 2 __vbaVarIndexLoad __vbaChkstk __vbaVarIndexStore __vbaFreeVar 3047->3050 3052 438c43-438c52 3048->3052 3053 438c54-438c69 __vbaLbound 3048->3053 3050->3048 3056 438ab4 3050->3056 3055 438c6c-438c79 3052->3055 3053->3055 3057 438c7b-438c8a 3055->3057 3058 438c8c-438ca1 __vbaUbound 3055->3058 3056->3044 3059 438ca4-438cb1 3057->3059 3058->3059 3060 438cb7-438cba 3059->3060 3061 438f15-438fad __vbaErrorOverflow __vbaChkstk __vbaOnError #645 __vbaStrMove 3059->3061 3060->3061 3062 438cc0-438cc3 3060->3062 3065 438fb3-438fcb __vbaStrCmp 3061->3065 3062->3061 3064 438cc9-438d27 #525 __vbaStrMove 3062->3064 3069 438eab-438efe __vbaStrCopy __vbaFreeStr * 2 3064->3069 3070 438d2d-438d48 __vbaAryLock 3064->3070 3067 438fd1-439006 __vbaStrCmp * 2 3065->3067 3068 43916c-4391c6 __vbaAryMove __vbaAryDestruct __vbaFreeStr 3065->3068 3072 439132-439167 #645 __vbaStrMove __vbaFreeVar 3067->3072 3073 43900c-439055 __vbaStrCat __vbaStrMove #579 __vbaFreeStr 3067->3073 3076 438d4a-438d51 3070->3076 3077 438d8d-438d93 __vbaGenerateBoundsError 3070->3077 3072->3065 3073->3072 3074 43905b-43908c __vbaRedimPreserve 3073->3074 3078 43908e-439095 3074->3078 3079 4390cc-4390d2 __vbaGenerateBoundsError 3074->3079 3076->3077 3081 438d53-438d68 3076->3081 3080 438d99-438dfb #572 __vbaStrMove __vbaAryUnlock __vbaStrMove __vbaLenBstr 3077->3080 3078->3079 3082 439097-4390ad 3078->3082 3085 4390d5-439128 __vbaStrCat __vbaStrMove __vbaStrCopy __vbaFreeStr 3079->3085 3083 438e1e-438e2b 3080->3083 3084 438dfd-438e18 __vbaStrCat __vbaStrMove 3080->3084 3086 438d76-438d7c __vbaGenerateBoundsError 3081->3086 3087 438d6a-438d74 3081->3087 3088 4390b8-4390be __vbaGenerateBoundsError 3082->3088 3089 4390af-4390b6 3082->3089 3090 438e82-438e99 __vbaMidStmtBstr 3083->3090 3091 438e2d-438e77 __vbaStrCat __vbaStrMove __vbaMidStmtBstr __vbaFreeStr 3083->3091 3084->3083 3092 43912e 3085->3092 3093 4391dd-4392ff __vbaErrorOverflow __vbaChkstk __vbaOnError __vbaNew __vbaObjSet __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove * 2 3085->3093 3094 438d82-438d8b 3086->3094 3087->3094 3095 4390c1-4390ca 3088->3095 3089->3095 3097 438e9f 3090->3097 3091->3061 3096 438e7d-438e80 3091->3096 3092->3072 3104 439321 3093->3104 3105 439301-43931f __vbaHresultCheckObj 3093->3105 3094->3080 3095->3085 3096->3097 3097->3069 3106 43932b-4393f0 __vbaObjSet __vbaFreeStrList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove 3104->3106 3105->3106 3112 439412 3106->3112 3113 4393f2-439410 __vbaHresultCheckObj 3106->3113 3114 43941c-43945d __vbaFreeStrList 3112->3114 3113->3114 3116 43945f-43947a __vbaHresultCheckObj 3114->3116 3117 43947c 3114->3117 3118 439486-4394a6 3116->3118 3117->3118 3120 4394c5 3118->3120 3121 4394a8-4394c3 __vbaHresultCheckObj 3118->3121 3122 4394cf-4395a3 __vbaVar2Vec __vbaAryMove __vbaFreeVar __vbaCastObj __vbaObjSet __vbaCastObj __vbaObjSet __vbaFreeObj * 2 3120->3122 3121->3122
                                                              APIs
                                                              • __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                              • #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                              • __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                              • __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                              • #537.MSVBVM60(00000000), ref: 00438956
                                                              • __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                              • __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                              • __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                              • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 004389F4
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438A1E
                                                              • __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438A4E
                                                              • __vbaVarVargNofree.MSVBVM60 ref: 00438A6F
                                                              • __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00438A7E
                                                              • __vbaI2Var.MSVBVM60(00000000), ref: 00438A85
                                                              • __vbaChkstk.MSVBVM60 ref: 00438B0B
                                                              • __vbaChkstk.MSVBVM60 ref: 00438B2E
                                                              • __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00438B56
                                                              • __vbaChkstk.MSVBVM60 ref: 00438B66
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Chkstk$ErrorFreeMove$#537#632BstrIndexListLoadNofreeOverflowVarg
                                                              • String ID: 200C197832133B2C7A46$2C7E7A$`,@$jNHNTcdJBaGYeiOWmSElDGwsaRoCIINDFf$wBewVPrHILrDrFlHideruOi
                                                              • API String ID: 2129149374-215353524
                                                              • Opcode ID: c0c23988d1314fd89c9e5be5f377224b9a962e77b5607818b3250ce0305fd7b8
                                                              • Instruction ID: e2bf742a63424fe424e82add690630a7d4d67e0642cb6f83a9a2e068eb574df7
                                                              • Opcode Fuzzy Hash: c0c23988d1314fd89c9e5be5f377224b9a962e77b5607818b3250ce0305fd7b8
                                                              • Instruction Fuzzy Hash: 6B82E7B5900208EFDB04DFA4DA88BDEBBB5FF48704F208169E506B72A0DB756A45CF54
                                                              Function 00404E21 Relevance: 166.8, APIs: 74, Strings: 21, Instructions: 542COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3124 404e21-4111fb __vbaChkstk __vbaOnError 3127 411201-4118a6 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaVarCat * 2 __vbaStrVarMove __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 __vbaFreeStrList __vbaFreeVar __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove call 436460 3124->3127 3128 4118e5-4118f7 3124->3128 3245 4118ab-4118e3 __vbaFreeStrList __vbaFreeVar 3127->3245 3130 411998-411a6d __vbaErrorOverflow __vbaChkstk __vbaStrCopy __vbaOnError #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 3128->3130 3131 4118fd 3128->3131 3140 411a96-411b8b __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 3130->3140 3141 411a6f-411a90 #529 3130->3141 3133 411904-411975 3131->3133 3161 411bb0 3140->3161 3162 411b8d-411bae __vbaHresultCheckObj 3140->3162 3141->3140 3164 411bba-411ccc __vbaChkstk * 2 __vbaLateMemCallLd __vbaCastObjVar __vbaObjSet __vbaFreeStrList __vbaFreeObj __vbaFreeVarList __vbaObjSetAddref __vbaI2I4 3161->3164 3162->3164 3170 411cf4 3164->3170 3171 411cce-411cf2 __vbaHresultCheckObj 3164->3171 3173 411cfe-411d2a 3170->3173 3171->3173 3178 411d2c-411d4d __vbaHresultCheckObj 3173->3178 3179 411d4f 3173->3179 3181 411d59-411e18 __vbaChkstk * 2 3178->3181 3179->3181 3186 411e1a-411e3b __vbaHresultCheckObj 3181->3186 3187 411e3d 3181->3187 3188 411e47-411e6c 3186->3188 3187->3188 3193 411e91 3188->3193 3194 411e6e-411e8f __vbaHresultCheckObj 3188->3194 3196 411e9b-411f5a __vbaChkstk * 2 3193->3196 3194->3196 3202 411f5c-411f7d __vbaHresultCheckObj 3196->3202 3203 411f7f 3196->3203 3205 411f89-41207c __vbaChkstk * 3 3202->3205 3203->3205 3210 4120a4 3205->3210 3211 41207e-4120a2 __vbaHresultCheckObj 3205->3211 3212 4120ae-4120db 3210->3212 3211->3212 3218 412103 3212->3218 3219 4120dd-412101 __vbaHresultCheckObj 3212->3219 3220 41210d-412195 __vbaObjSetAddref call 405970 __vbaSetSystemError call 4059b0 __vbaSetSystemError 3218->3220 3219->3220 3234 412197-4121b8 __vbaHresultCheckObj 3220->3234 3235 4121ba 3220->3235 3237 4121c4-412214 call 405a44 __vbaSetSystemError 3234->3237 3235->3237 3246 412216-412237 __vbaHresultCheckObj 3237->3246 3247 412239 3237->3247 3245->3133 3248 412243-41226c 3246->3248 3247->3248 3250 412291 3248->3250 3251 41226e-41228f __vbaHresultCheckObj 3248->3251 3252 41229b-4122a2 3250->3252 3251->3252 3253 4122c0 3252->3253 3254 4122a4-4122be __vbaNew2 3252->3254 3255 4122ca-41231f __vbaObjSet 3253->3255 3254->3255 3257 412321-412342 __vbaHresultCheckObj 3255->3257 3258 412344 3255->3258 3259 41234e-4123e6 __vbaFreeObj __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 3257->3259 3258->3259 3265 4123e8-412409 __vbaHresultCheckObj 3259->3265 3266 41240b 3259->3266 3267 412415-4124c2 __vbaChkstk __vbaLateMemCall __vbaFreeStrList __vbaFreeObj __vbaFreeVar call 4059f4 __vbaSetSystemError __vbaStrCopy * 2 call 441a70 3265->3267 3266->3267 3271 4124c7-412559 __vbaFreeStrList __vbaFreeObj * 2 __vbaFreeStr 3267->3271
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0041119E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6), ref: 004111E5
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004037E6), ref: 00411210
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004037E6), ref: 00411224
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004037E6), ref: 00411232
                                                              • __vbaStrMove.MSVBVM60 ref: 00411251
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00411269
                                                                • Part of subcall function 00436460: __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,?,00000000,004037E6), ref: 0043647E
                                                                • Part of subcall function 00436460: __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004037E6), ref: 004364AE
                                                                • Part of subcall function 00436460: __vbaStrCat.MSVBVM60(0040654C,00778314,?,?,?,?,004037E6), ref: 004364CD
                                                                • Part of subcall function 00436460: #645.MSVBVM60(00000008,00000000), ref: 004364E3
                                                                • Part of subcall function 00436460: __vbaVarMove.MSVBVM60 ref: 004364F9
                                                                • Part of subcall function 00436460: __vbaFreeVar.MSVBVM60 ref: 00436502
                                                                • Part of subcall function 00436460: __vbaVarTstGt.MSVBVM60(00008008,?), ref: 0043652E
                                                                • Part of subcall function 00436460: __vbaInStrVar.MSVBVM60(00000008,00000000,00000008,?,00000001), ref: 0043656E
                                                                • Part of subcall function 00436460: __vbaBoolVarNull.MSVBVM60(00000000), ref: 00436575
                                                                • Part of subcall function 00436460: __vbaFreeVar.MSVBVM60 ref: 00436585
                                                                • Part of subcall function 00436460: __vbaStrCat.MSVBVM60(0040654C,00778314), ref: 004365AD
                                                                • Part of subcall function 00436460: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 004365C9
                                                                • Part of subcall function 00436460: __vbaStrVarMove.MSVBVM60(00000000), ref: 004365D0
                                                                • Part of subcall function 00436460: __vbaStrMove.MSVBVM60 ref: 004365DB
                                                                • Part of subcall function 00436460: __vbaVarAdd.MSVBVM60(0000000A,?,00000008), ref: 00436604
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 00411292
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 0041129E
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,004037E6), ref: 004112B3
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,004037E6), ref: 004112C7
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,004037E6), ref: 004112D5
                                                              • __vbaStrMove.MSVBVM60 ref: 004112F4
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0041130C
                                                                • Part of subcall function 00436460: __vbaStrVarMove.MSVBVM60(00000000), ref: 0043660B
                                                                • Part of subcall function 00436460: __vbaStrMove.MSVBVM60 ref: 00436616
                                                                • Part of subcall function 00436460: __vbaStrCopy.MSVBVM60 ref: 00436624
                                                                • Part of subcall function 00436460: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 00436649
                                                                • Part of subcall function 00436460: __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,004037E6), ref: 00436660
                                                                • Part of subcall function 00436460: #645.MSVBVM60(0000000A,00000000), ref: 00436684
                                                                • Part of subcall function 00436460: __vbaVarMove.MSVBVM60 ref: 0043669A
                                                                • Part of subcall function 00436460: __vbaFreeVar.MSVBVM60 ref: 004366A3
                                                                • Part of subcall function 00436460: __vbaFreeVar.MSVBVM60(00436701), ref: 004366FA
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 00411335
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004037E6), ref: 00411341
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004037E6), ref: 00411356
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004037E6), ref: 0041136A
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004037E6), ref: 00411378
                                                              • __vbaStrMove.MSVBVM60 ref: 00411397
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 004113AF
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 004113D8
                                                              • __vbaFreeVar.MSVBVM60 ref: 004113E4
                                                              • __vbaStrCopy.MSVBVM60 ref: 004113F9
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041140D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041141B
                                                              • __vbaStrMove.MSVBVM60 ref: 0041143A
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00411452
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 0041147B
                                                              • __vbaFreeVar.MSVBVM60 ref: 00411487
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041149C
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004114B0
                                                              • __vbaStrCopy.MSVBVM60 ref: 004114BE
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004114D2
                                                              • __vbaStrCopy.MSVBVM60 ref: 004114E0
                                                              • __vbaStrMove.MSVBVM60 ref: 004114FF
                                                              • #666.MSVBVM60(?,00000008,?,?), ref: 00411524
                                                              • __vbaStrCopy.MSVBVM60 ref: 00411546
                                                              • __vbaStrMove.MSVBVM60 ref: 00411565
                                                              • #666.MSVBVM60(?,00000008,00000000,?), ref: 00411593
                                                              • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 004115A8
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004115BD
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004115C4
                                                              • __vbaStrMove.MSVBVM60 ref: 004115CF
                                                              • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,00000000,?,?,00000000,00000000,?,?), ref: 0041160B
                                                              • __vbaFreeVarList.MSVBVM60(00000007,00000008,?,00000008,?,?,?,?), ref: 0041163E
                                                              • __vbaStrCopy.MSVBVM60 ref: 00411656
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041166A
                                                              • __vbaStrCopy.MSVBVM60 ref: 00411678
                                                              • __vbaStrMove.MSVBVM60 ref: 00411697
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 004116AF
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 004116D8
                                                              • __vbaFreeVar.MSVBVM60 ref: 004116E4
                                                              • __vbaStrCopy.MSVBVM60 ref: 004116F9
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0041170D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041171B
                                                              • __vbaStrMove.MSVBVM60 ref: 0041173A
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00411752
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0041177B
                                                              • __vbaFreeVar.MSVBVM60 ref: 00411787
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041179C
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004117B0
                                                              • __vbaStrCopy.MSVBVM60 ref: 004117BE
                                                              • __vbaStrMove.MSVBVM60 ref: 004117DD
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 004117F5
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 0041181E
                                                              • __vbaFreeVar.MSVBVM60 ref: 0041182A
                                                              • __vbaStrCopy.MSVBVM60 ref: 0041183F
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00411853
                                                              • __vbaStrCopy.MSVBVM60 ref: 00411861
                                                              • __vbaStrMove.MSVBVM60 ref: 00411880
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00411898
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,00000008,?), ref: 004118C1
                                                              • __vbaFreeVar.MSVBVM60 ref: 004118CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$List$Bstr$#516#631#645#666ChkstkError$#537#608#632BoolNull
                                                              • String ID: 0221241430103F2002232B06$023D331B3E1B2903$081F2D323C2D05112C0130$2027190C241B1527$2230212B0A093E02393C$260308233B3416$2C3132260301063F$32362F320C0007$341F281E22263838250B001D05$3E04072A05$7$CcHwxExaTkhtMTBsKBrbGr$HkmHVYCqxMmCfihxHVfgmyA$PaTAUbfcLvF$SWnvIpZdFdhunnluRjUtswWjvfDCUvPKbrjsSMMOGChj$SqSSNogMjVHj$cwmQnVIoYIgeivSWQlzjTYR$dAniDeDzrLbfCnmoSWCNNMYg$eySVvmtfLYKdCKkMdKGxtF$oelgHRQeOLF$uxmkOvwJEOsp
                                                              • API String ID: 1362582428-384964796
                                                              • Opcode ID: 93ba7c65988199f808fc073edcc99a578440b82e079213aaa6d5d5c4fa8e332e
                                                              • Instruction ID: 03c6fcdd25b347094d8e7a910d915d2d0d3bbdcae9ac79ee1062a4968fbf923e
                                                              • Opcode Fuzzy Hash: 93ba7c65988199f808fc073edcc99a578440b82e079213aaa6d5d5c4fa8e332e
                                                              • Instruction Fuzzy Hash: 0132F876801109ABDB04EFE4DA94EDEB7B9FF48304F10816AF502B7164EB746A09CF64
                                                              Function 0042A420 Relevance: 144.0, APIs: 73, Strings: 9, Instructions: 536COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3273 42a420-42a50f __vbaChkstk __vbaOnError call 438f20 __vbaAryMove __vbaUbound __vbaI2I4 3277 42a515-42a587 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove 3273->3277 3278 42ac19-42acc1 __vbaFreeVar __vbaAryDestruct * 3 __vbaFreeStr __vbaFreeVar 3273->3278 3284 42a589-42a590 3277->3284 3285 42a5dc-42a5e2 __vbaGenerateBoundsError 3277->3285 3284->3285 3286 42a592-42a5b1 3284->3286 3287 42a5e8-42a62c __vbaStrMove __vbaStrCat 3285->3287 3288 42a5b3-42a5bd 3286->3288 3289 42a5bf-42a5c5 __vbaGenerateBoundsError 3286->3289 3290 42a681-42a687 __vbaGenerateBoundsError 3287->3290 3291 42a62e-42a635 3287->3291 3293 42a5cb-42a5da 3288->3293 3289->3293 3292 42a68d-42a767 __vbaStrCat #645 __vbaStrMove __vbaStrCmp #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 3290->3292 3291->3290 3294 42a637-42a656 3291->3294 3295 42aa8c-42ac0d __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaVarCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 3292->3295 3296 42a76d-42a7ab #716 __vbaVarZero 3292->3296 3293->3287 3297 42a664-42a66a __vbaGenerateBoundsError 3294->3297 3298 42a658-42a662 3294->3298 3295->3278 3299 42a800-42a806 __vbaGenerateBoundsError 3296->3299 3300 42a7ad-42a7b4 3296->3300 3302 42a670-42a67f 3297->3302 3298->3302 3304 42a80c-42a979 __vbaStrCat * 2 __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeVarList __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove 3299->3304 3300->3299 3303 42a7b6-42a7d5 3300->3303 3302->3292 3306 42a7e3-42a7e9 __vbaGenerateBoundsError 3303->3306 3307 42a7d7-42a7e1 3303->3307 3315 42a97b-42a982 3304->3315 3316 42a9ce-42a9d4 __vbaGenerateBoundsError 3304->3316 3310 42a7ef-42a7fe 3306->3310 3307->3310 3310->3304 3315->3316 3318 42a984-42a9a3 3315->3318 3317 42a9da-42aa86 __vbaStrMove __vbaStrCat __vbaStrMove call 42cfd0 __vbaFreeStrList __vbaStrCat #529 __vbaFreeVar 3316->3317 3317->3295 3319 42a9b1-42a9b7 __vbaGenerateBoundsError 3318->3319 3320 42a9a5-42a9af 3318->3320 3322 42a9bd-42a9cc 3319->3322 3320->3322 3322->3317
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,0041B51F,?,?), ref: 0042A43E
                                                              • __vbaAryMove.MSVBVM60(00000000,?,?,00447064,?,00000000,?,?,004037E6), ref: 0042A4AA
                                                              • __vbaUbound.MSVBVM60(00000001,00000000,?,00000000,?,?,004037E6), ref: 0042A4BD
                                                              • __vbaI2I4.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042A4C5
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042A524
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0042A46E
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438F3E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438F6E
                                                                • Part of subcall function 00438890: #645.MSVBVM60(00004008,00000010), ref: 00438F95
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00438FA0
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(00405E48,?), ref: 00438FC3
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040651C,?), ref: 00438FE1
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040D734,?), ref: 00438FF7
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043901D
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00439028
                                                                • Part of subcall function 00438890: #579.MSVBVM60(00000000), ref: 0043902F
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60 ref: 00439049
                                                                • Part of subcall function 00438890: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 00439078
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0042A538
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042A546
                                                              • __vbaStrMove.MSVBVM60 ref: 0042A565
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0042A57D
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A5BF
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A5DC
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0042A611
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0042A618
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A664
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A681
                                                              • __vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 0042A6A2
                                                              • #645.MSVBVM60(00000008,00000000), ref: 0042A6BE
                                                              • __vbaStrMove.MSVBVM60 ref: 0042A6C9
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0042A6D5
                                                              • #645.MSVBVM60(00000008,00000000), ref: 0042A6EE
                                                              • __vbaStrMove.MSVBVM60 ref: 0042A6F9
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0042A705
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000), ref: 0042A73F
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042A755
                                                              • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 0042A77F
                                                              • __vbaVarZero.MSVBVM60 ref: 0042A78E
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A7E3
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A800
                                                              • __vbaStrCat.MSVBVM60(\key4.db,00000000), ref: 0042A821
                                                              • __vbaStrCat.MSVBVM60(\keyDBPath.db,00778314), ref: 0042A83D
                                                              • __vbaChkstk.MSVBVM60 ref: 0042A858
                                                              • __vbaChkstk.MSVBVM60 ref: 0042A87B
                                                              • __vbaObjVar.MSVBVM60(?,CopyFile,00000002), ref: 0042A8B3
                                                              • __vbaLateMemCall.MSVBVM60(00000000), ref: 0042A8BA
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042A8D0
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042A8F9
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0042A90D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042A91B
                                                              • __vbaStrMove.MSVBVM60 ref: 0042A93A
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0042A952
                                                              • __vbaStrCat.MSVBVM60(\keyDBPath.db,00778314), ref: 0042A964
                                                              • __vbaStrMove.MSVBVM60 ref: 0042A96F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A9B1
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042A9CE
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0042AA03
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0042AA0A
                                                              • __vbaStrMove.MSVBVM60 ref: 0042AA15
                                                              • __vbaFreeStrList.MSVBVM60(00000008,?,?,?,?,?,?,00000000,00000000,?,?,00000000), ref: 0042AA4E
                                                              • __vbaStrCat.MSVBVM60(\keyDBPath.db,00778314), ref: 0042AA69
                                                              • #529.MSVBVM60(00000008), ref: 0042AA7D
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042AA86
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042AA9B
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0042AAAF
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042AABD
                                                              • __vbaStrMove.MSVBVM60 ref: 0042AADC
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 0042AAF4
                                                              • __vbaVarCat.MSVBVM60(?,00000008,?,00000000), ref: 0042AB3F
                                                              • #645.MSVBVM60(00000000), ref: 0042AB46
                                                              • __vbaStrMove.MSVBVM60 ref: 0042AB51
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0042AB5D
                                                              • __vbaVarCat.MSVBVM60(?,00000008,?,00000000), ref: 0042AB81
                                                              • #645.MSVBVM60(00000000), ref: 0042AB88
                                                              • __vbaStrMove.MSVBVM60 ref: 0042AB93
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0042AB9F
                                                              • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,00000000,?), ref: 0042ABE7
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0042AC04
                                                              • __vbaFreeVar.MSVBVM60(0042ACC2), ref: 0042AC82
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042AC91
                                                              • __vbaAryDestruct.MSVBVM60(00000000,00000000), ref: 0042AC9D
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042ACA9
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042ACB2
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042ACBB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Error$BoundsGenerateList$Copy$#645$Chkstk$BstrDestruct$#516#631$#529#537#579#608#632#716CallLatePreserveRedimUboundZero
                                                              • String ID: 3B230B320C19396823243A08$3D303C2800182F037E2704030F002B$CopyFile$PaCUOnwApPTuoftNLEUJQUyMzEyJccT$Scripting.FileSystemObject$\key3.db$\key4.db$\keyDBPath.db$xgOdUewJFIWUfQEPcoCatLjzXiKLlLcUsDbGufNIQw
                                                              • API String ID: 2306589352-3224081168
                                                              • Opcode ID: 6ba387a685a023ab5ee594aef5548ad64c33010a9a19996e04e9a2b2dc3a0441
                                                              • Instruction ID: 1c6dde7246737b44db6e12ec51bd173daa5bf8514d1e275982024702818f2b82
                                                              • Opcode Fuzzy Hash: 6ba387a685a023ab5ee594aef5548ad64c33010a9a19996e04e9a2b2dc3a0441
                                                              • Instruction Fuzzy Hash: BF322975900218DFDB14DF94DD88BDEBBB5FB48300F1081AAE50ABB264DB745A89CF94
                                                              Function 0043F2B0 Relevance: 142.3, APIs: 71, Strings: 10, Instructions: 507COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3324 43f2b0-43f468 __vbaChkstk __vbaOnError __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 #666 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeStrList __vbaFreeVarList #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 3329 43f46a 3324->3329 3330 43f46f-43f4d1 #648 __vbaVarMove __vbaFreeVar 3324->3330 3331 43fa4d-43faf0 __vbaFreeVar __vbaFreeStr __vbaAryDestruct 3329->3331 3332 43f4d3-43f4ed __vbaNew2 3330->3332 3333 43f4ef 3330->3333 3335 43f4f9-43f52c 3332->3335 3333->3335 3337 43f551 3335->3337 3338 43f52e-43f54f __vbaHresultCheckObj 3335->3338 3339 43f55b-43f589 3337->3339 3338->3339 3341 43f58b-43f5ac __vbaHresultCheckObj 3339->3341 3342 43f5ae 3339->3342 3343 43f5b8-43f5bf 3341->3343 3342->3343 3344 43f5c1-43f5db __vbaNew2 3343->3344 3345 43f5dd 3343->3345 3346 43f5e7-43f61a 3344->3346 3345->3346 3348 43f63f 3346->3348 3349 43f61c-43f63d __vbaHresultCheckObj 3346->3349 3350 43f649-43f677 3348->3350 3349->3350 3352 43f679-43f69a __vbaHresultCheckObj 3350->3352 3353 43f69c 3350->3353 3354 43f6a6-43f7ec __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove * 2 __vbaStrCat __vbaStrMove __vbaI2Var __vbaFileOpen __vbaFreeStrList __vbaFreeObjList __vbaI2Var #570 3352->3354 3353->3354 3359 43f7f2-43fa4a __vbaRedim __vbaI2Var __vbaGetOwner3 __vbaI2Var __vbaFileClose #648 __vbaFreeVar __vbaFileOpen __vbaPutOwner4 __vbaFileClose __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaStrCat __vbaStrMove #716 __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeStrList __vbaFreeVarList 3354->3359 3360 43fb21-43fb27 __vbaErrorOverflow 3354->3360 3359->3331
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0043F2CE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 0043F2FE
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0043F313
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 0043F327
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0043F335
                                                              • __vbaStrMove.MSVBVM60 ref: 0043F354
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • #666.MSVBVM60(?,00000008,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043F385
                                                              • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 0043F3B4
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043F3BB
                                                              • __vbaStrMove.MSVBVM60 ref: 0043F3C6
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0043F3DE
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000,?,00000000,004037E6), ref: 0043F3FE
                                                              • #645.MSVBVM60(00004008,00000000), ref: 0043F42A
                                                              • __vbaStrMove.MSVBVM60 ref: 0043F435
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 0043F441
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043F459
                                                              • #648.MSVBVM60(0000000A), ref: 0043F491
                                                              • __vbaVarMove.MSVBVM60 ref: 0043F4B1
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043F4BD
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4), ref: 0043F4DD
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040524C,00000014), ref: 0043F543
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB1C,00000050), ref: 0043F5A0
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4), ref: 0043F5CB
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040524C,00000014), ref: 0043F631
                                                              • __vbaFreeVar.MSVBVM60(0043FAF1), ref: 0043FAD5
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043FADE
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0043FAEA
                                                              Strings
                                                              • fOyADGKVrDsLLqFJkWJUsr, xrefs: 0043F32D
                                                              • customariness, xrefs: 0043F938
                                                              • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\, xrefs: 0043F933
                                                              • RegWrite, xrefs: 0043F9F5
                                                              • lwrMgBdVQbgql, xrefs: 0043F8EE
                                                              • 20212E152B14227F310F140000, xrefs: 0043F8CC
                                                              • fVrnPBPklGHIoHoUpGuxZCXeCRwRdnuElWlMcNhkk, xrefs: 0043F6C8
                                                              • 0E093100263F37, xrefs: 0043F30B
                                                              • \Microsoft\Windows\Templates\flakeboard.exe, xrefs: 0043F38B
                                                              • 78171635, xrefs: 0043F6A6
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$FreeMove$BstrCheckHresultList$#516#631CopyNew2$#537#608#632#645#648#666ChkstkDestructError
                                                              • String ID: 0E093100263F37$20212E152B14227F310F140000$78171635$HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\$RegWrite$\Microsoft\Windows\Templates\flakeboard.exe$customariness$fOyADGKVrDsLLqFJkWJUsr$fVrnPBPklGHIoHoUpGuxZCXeCRwRdnuElWlMcNhkk$lwrMgBdVQbgql
                                                              • API String ID: 3151215583-1801457511
                                                              • Opcode ID: 6cc18f6cb6400fcba9f907ccf51c7b4b6e19b411f2b8b2a942d6ca63a0b2b509
                                                              • Instruction ID: a52e37e70997ad60adc9d5aa487ac8f1a200e7e47c2a50d5f9f7d42e3838bcc2
                                                              • Opcode Fuzzy Hash: 6cc18f6cb6400fcba9f907ccf51c7b4b6e19b411f2b8b2a942d6ca63a0b2b509
                                                              • Instruction Fuzzy Hash: 56320AB5900218DFDB14DFA0CD48BEEB7B4FB48304F1085AAE50AB72A4DB745A89CF54
                                                              Function 004449E0 Relevance: 140.5, APIs: 70, Strings: 10, Instructions: 465COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3365 4449e0-444b29 __vbaChkstk __vbaOnError __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVar 3370 445091-44512a __vbaAryUnlock __vbaFreeVar __vbaAryDestruct __vbaFreeVar * 2 3365->3370 3371 444b2f-444b93 __vbaStrCopy call 438f20 __vbaAryMove __vbaFreeStr 3365->3371 3375 444b95 3371->3375 3376 444b9a-444bc8 __vbaForEachAry 3371->3376 3375->3370 3377 445084-44508b 3376->3377 3377->3370 3378 444bcd-444ce1 __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrMove __vbaVarAdd #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeVarList 3377->3378 3383 444ce7-444e86 #716 __vbaVarZero __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCat __vbaVarAdd __vbaChkstk * 2 __vbaObjVar __vbaLateMemCall __vbaFreeStrList __vbaFreeVarList 3378->3383 3384 44505d-44507e __vbaNextEachAry 3378->3384 3383->3384 3389 444e8c-444eed __vbaStrCat __vbaStrMove call 4432f0 __vbaFreeStr __vbaStrCopy call 443130 __vbaFreeStr 3383->3389 3384->3377 3394 444ef3-444f16 call 40a014 __vbaSetSystemError 3389->3394 3397 444ff6-445057 call 409fcc __vbaSetSystemError call 443380 __vbaStrCat #529 __vbaFreeVar 3394->3397 3398 444f1c-444ff1 call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove call 442f20 __vbaStrMove __vbaStrCat __vbaStrMove __vbaFreeStrList 3394->3398 3397->3384 3398->3394
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 004449FE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 00444A2E
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 00444A43
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 00444A57
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 00444A65
                                                              • __vbaStrMove.MSVBVM60 ref: 00444A84
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00444A9C
                                                              • #645.MSVBVM60(00000008,00000010), ref: 00444AC8
                                                              • __vbaStrMove.MSVBVM60 ref: 00444AD3
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00444ADF
                                                              • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,00000000,?), ref: 00444B0E
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 00444B1A
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 00444B4E
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438F3E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438F6E
                                                                • Part of subcall function 00438890: #645.MSVBVM60(00004008,00000010), ref: 00438F95
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00438FA0
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(00405E48,?), ref: 00438FC3
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040651C,?), ref: 00438FE1
                                                                • Part of subcall function 00438890: __vbaStrCmp.MSVBVM60(0040D734,?), ref: 00438FF7
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(?,00000001), ref: 0043901D
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60 ref: 00439028
                                                                • Part of subcall function 00438890: #579.MSVBVM60(00000000), ref: 0043902F
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60 ref: 00439049
                                                                • Part of subcall function 00438890: __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,00000000,00000000), ref: 00439078
                                                              • __vbaAryMove.MSVBVM60(00447070,?,?,00447064,?,?,?,00000000,?,00000000,004037E6), ref: 00444B74
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 00444B7D
                                                              • __vbaForEachAry.MSVBVM60(00000008,?,?,?,00000000,?,?,?,00000000,?,00000000,004037E6), ref: 00444BBC
                                                              • __vbaAryUnlock.MSVBVM60(?,0044512B,?,?,?,00000000,?,00000000,004037E6), ref: 004450F7
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 00445103
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,00000000,?,00000000,004037E6), ref: 00445112
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0044511B
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 00445124
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$FreeMove$BstrCopy$#516#631#645ChkstkErrorList$#537#579#608#632DestructEachPreserveRedimUnlock
                                                              • String ID: 014B0E37203122352E121A1A063035331F0C$3603303B10000E47020B$C:\\MailMasterData\$CopyFile$SELECT c0, c1, c2, c3, c4, c5 FROM Search_content$Scripting.FileSystemObject$\163MailContacts.db$cBqRkmPKYcsin$d$ojpUZbcfifiTPQEjpeClSSsLKEGRXotgAETQmfkqBj
                                                              • API String ID: 3684354002-1518002646
                                                              • Opcode ID: 54c87ccb58ee67e842f6985e05a417d90f7392d94870f45cd70cb596609fe2c9
                                                              • Instruction ID: 4c748d8d1553d800f4692d55ceac57c872c71b0ba29c0dbc7ccdb7213944b27d
                                                              • Opcode Fuzzy Hash: 54c87ccb58ee67e842f6985e05a417d90f7392d94870f45cd70cb596609fe2c9
                                                              • Instruction Fuzzy Hash: 9922E7B5900208DBDB14DFE0DD59BEEB7B8FB48304F10816AE506BB2A4EB745A49CF54
                                                              Function 00404E2E Relevance: 135.5, APIs: 69, Strings: 8, Instructions: 702COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3411 404e2e-411a6d __vbaChkstk __vbaStrCopy __vbaOnError #645 __vbaStrMove __vbaStrCmp __vbaFreeStr 3414 411a96-411b8b __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 __vbaStrCopy __vbaStrMove call 4379a0 3411->3414 3415 411a6f-411a90 #529 3411->3415 3425 411bb0 3414->3425 3426 411b8d-411bae __vbaHresultCheckObj 3414->3426 3415->3414 3427 411bba-411ccc __vbaChkstk * 2 __vbaLateMemCallLd __vbaCastObjVar __vbaObjSet __vbaFreeStrList __vbaFreeObj __vbaFreeVarList __vbaObjSetAddref __vbaI2I4 3425->3427 3426->3427 3429 411cf4 3427->3429 3430 411cce-411cf2 __vbaHresultCheckObj 3427->3430 3431 411cfe-411d2a 3429->3431 3430->3431 3433 411d2c-411d4d __vbaHresultCheckObj 3431->3433 3434 411d4f 3431->3434 3435 411d59-411e18 __vbaChkstk * 2 3433->3435 3434->3435 3437 411e1a-411e3b __vbaHresultCheckObj 3435->3437 3438 411e3d 3435->3438 3439 411e47-411e6c 3437->3439 3438->3439 3441 411e91 3439->3441 3442 411e6e-411e8f __vbaHresultCheckObj 3439->3442 3443 411e9b-411f5a __vbaChkstk * 2 3441->3443 3442->3443 3445 411f5c-411f7d __vbaHresultCheckObj 3443->3445 3446 411f7f 3443->3446 3447 411f89-41207c __vbaChkstk * 3 3445->3447 3446->3447 3449 4120a4 3447->3449 3450 41207e-4120a2 __vbaHresultCheckObj 3447->3450 3451 4120ae-4120db 3449->3451 3450->3451 3453 412103 3451->3453 3454 4120dd-412101 __vbaHresultCheckObj 3451->3454 3455 41210d-412195 __vbaObjSetAddref call 405970 __vbaSetSystemError call 4059b0 __vbaSetSystemError 3453->3455 3454->3455 3461 412197-4121b8 __vbaHresultCheckObj 3455->3461 3462 4121ba 3455->3462 3463 4121c4-412214 call 405a44 __vbaSetSystemError 3461->3463 3462->3463 3467 412216-412237 __vbaHresultCheckObj 3463->3467 3468 412239 3463->3468 3469 412243-41226c 3467->3469 3468->3469 3471 412291 3469->3471 3472 41226e-41228f __vbaHresultCheckObj 3469->3472 3473 41229b-4122a2 3471->3473 3472->3473 3474 4122c0 3473->3474 3475 4122a4-4122be __vbaNew2 3473->3475 3476 4122ca-41231f __vbaObjSet 3474->3476 3475->3476 3478 412321-412342 __vbaHresultCheckObj 3476->3478 3479 412344 3476->3479 3480 41234e-4123e6 __vbaFreeObj __vbaStrCopy call 438890 __vbaStrMove __vbaStrCopy __vbaStrMove call 4379a0 3478->3480 3479->3480 3486 4123e8-412409 __vbaHresultCheckObj 3480->3486 3487 41240b 3480->3487 3488 412415-4124c2 __vbaChkstk __vbaLateMemCall __vbaFreeStrList __vbaFreeObj __vbaFreeVar call 4059f4 __vbaSetSystemError __vbaStrCopy * 2 call 441a70 3486->3488 3487->3488 3492 4124c7-412559 __vbaFreeStrList __vbaFreeObj * 2 __vbaFreeStr 3488->3492
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 004119BE
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004037E6), ref: 004119F7
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6), ref: 00411A06
                                                              • #645.MSVBVM60(00004008,00000000), ref: 00411A2F
                                                              • __vbaStrMove.MSVBVM60 ref: 00411A3A
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 00411A46
                                                              • __vbaFreeStr.MSVBVM60 ref: 00411A5E
                                                              • #529.MSVBVM60(00004008), ref: 00411A90
                                                              • __vbaStrCopy.MSVBVM60 ref: 00411AA5
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00411AB9
                                                              • __vbaStrCopy.MSVBVM60 ref: 00411AC7
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00411ADB
                                                              • __vbaStrCopy.MSVBVM60 ref: 00411AE9
                                                              • __vbaStrMove.MSVBVM60 ref: 00411B08
                                                              • __vbaStrCopy.MSVBVM60(?,?), ref: 00411B2D
                                                              • __vbaStrMove.MSVBVM60 ref: 00411B4C
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405080,00000218), ref: 00411BA2
                                                              • __vbaChkstk.MSVBVM60(00406300), ref: 00411BC4
                                                              • __vbaChkstk.MSVBVM60(00406300), ref: 00411BE7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$CopyMove$Chkstk$#529#645CheckErrorFreeHresult
                                                              • String ID: 03005F3E0A3207361922361920$310D2E002705090721073A31$Add$DC-SC$FUBqncQsCkGtvXxSqEOzT$HAdMTBhyWHdenrapNTSSkypS$Remove$7@
                                                              • API String ID: 483646690-3348098571
                                                              • Opcode ID: 3707304e046b826c1903f3b41a65750eb2e24211da27c1e557d81eea6c74bab5
                                                              • Instruction ID: 25d5c61e7f149f94fe9a6d3bddd1c69e2786812ad2ac1fd897cf8a9b418ba2c2
                                                              • Opcode Fuzzy Hash: 3707304e046b826c1903f3b41a65750eb2e24211da27c1e557d81eea6c74bab5
                                                              • Instruction Fuzzy Hash: 2A721BB4900218DFDB14DFA4C988BDEBBB5FF48304F1081A9E54AB72A0D7749A85CF94
                                                              Function 0043C940 Relevance: 112.4, APIs: 58, Strings: 6, Instructions: 370fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __vbaOnError.MSVBVM60(00000001,?,00000000), ref: 0043C9CD
                                                              • __vbaVarCopy.MSVBVM60(?,00000000), ref: 0043C9F1
                                                              • __vbaStrVarVal.MSVBVM60(?,?,0040654C,000000FF,00000000,?,00000000), ref: 0043CA07
                                                              • #709.MSVBVM60(00000000,?,00000000), ref: 0043CA0E
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 0043CA24
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043CA3A
                                                              • #632.MSVBVM60(?,?,-00000001,0000000A,?,00000000), ref: 0043CA7E
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 0043CA8C
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043CA9B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaVarCat.MSVBVM60(?,?,00000008,?,?,?,00000000), ref: 0043CAD5
                                                              • __vbaVarCat.MSVBVM60(?,00000008,00000000,?,00000000), ref: 0043CAE6
                                                              • __vbaVarMove.MSVBVM60(?,00000000), ref: 0043CAED
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,00000000), ref: 0043CB09
                                                              • __vbaFreeVarList.MSVBVM60(00000004,0000000A,?,?,00000008,?,00000000), ref: 0043CB2D
                                                              • #648.MSVBVM60(0000000A), ref: 0043CB4E
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043CB5C
                                                              • __vbaStrVarCopy.MSVBVM60(?), ref: 0043CB66
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CB71
                                                              • __vbaFileOpen.MSVBVM60(00000002,000000FF,00000000,00000000), ref: 0043CB79
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043CB82
                                                              • #537.MSVBVM60(00000050), ref: 0043CB90
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CB97
                                                              • #537.MSVBVM60(0000004B), ref: 0043CB9B
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CBA2
                                                              • #537.MSVBVM60(00000005), ref: 0043CBA6
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CBAD
                                                              • #537.MSVBVM60(00000006), ref: 0043CBB1
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CBB8
                                                              • #607.MSVBVM60(?,00000012,00000002), ref: 0043CBD9
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CC0C
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0043CC18
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043CC21
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CC28
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0043CC34
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043CC37
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CC3E
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 0043CC4A
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043CC4D
                                                              • __vbaVarCat.MSVBVM60(00000008,?,00000008), ref: 0043CC74
                                                              • __vbaPrintFile.MSVBVM60(0040DAB8,00000000,00000000), ref: 0043CC81
                                                              • __vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,00000000,?,?,?,?,?), ref: 0043CCB1
                                                              • __vbaFreeVarList.MSVBVM60(00000004,00000002,00000008,?,00000008), ref: 0043CCD5
                                                              • __vbaFileClose.MSVBVM60(00000000), ref: 0043CCDF
                                                              • #716.MSVBVM60(00000002,shell.application,00000000), ref: 0043CCF3
                                                              • __vbaObjVar.MSVBVM60(00000002), ref: 0043CD06
                                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0043CD13
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043CD21
                                                              • __vbaLateMemCallLd.MSVBVM60(00000002,?,Namespace,00000001), ref: 0043CD65
                                                              • __vbaObjVar.MSVBVM60(00000000), ref: 0043CD6F
                                                              • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0043CD76
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043CD7E
                                                              • __vbaLateMemCall.MSVBVM60(?,CopyHere,00000002), ref: 0043CDEC
                                                              • __vbaExitProc.MSVBVM60 ref: 0043CDF5
                                                              • __vbaFreeObj.MSVBVM60(0043CE8F), ref: 0043CE77
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043CE82
                                                              • __vbaFreeObj.MSVBVM60 ref: 0043CE87
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043CE8C
                                                              • __vbaErrorOverflow.MSVBVM60(0000000A,?,00000000), ref: 0043CEA6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$#537List$Copy$BstrFile$#516#631#632AddrefCallErrorLate$#607#608#648#709#716CloseExitOpenOverflowPrintProc
                                                              • String ID: 7D333B32$CopyHere$JC$Namespace$OSIRBZxfbPpdOXUqlfiCPe$shell.application
                                                              • API String ID: 3980988675-3361705585
                                                              • Opcode ID: 7240ebc741fbed241af62d7a167b98950c7259fcdeb6fdb58710cd1e2cc17aef
                                                              • Instruction ID: 320aa92be900dec277d4aa658d353d95740fcf281db33f9ffe7dee3afa6f1863
                                                              • Opcode Fuzzy Hash: 7240ebc741fbed241af62d7a167b98950c7259fcdeb6fdb58710cd1e2cc17aef
                                                              • Instruction Fuzzy Hash: F7F1D6B1D102289BDB14DFA5DD84BDEBBB9FF48700F1081AAE20AB7254DB705A45CF94
                                                              Function 0043EEE0 Relevance: 82.5, APIs: 45, Strings: 2, Instructions: 260COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,0043DF46,?,?,?), ref: 0043EEFE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043EF2E
                                                              • #618.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043EF43
                                                              • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043EF4E
                                                              • __vbaStrCmp.MSVBVM60(0040654C,00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0043EF5A
                                                              • __vbaFreeStr.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043EF6F
                                                              • __vbaStrCat.MSVBVM60(0040654C,?,?,00000001,?,00000000,?,?,004037E6), ref: 0043EF8F
                                                              • __vbaStrMove.MSVBVM60(?,?,00000001,?,00000000,?,?,004037E6), ref: 0043EF9A
                                                              • #519.MSVBVM60(00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0043EFAD
                                                              • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043EFB8
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0043EFC4
                                                              • __vbaFreeStr.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043EFD8
                                                              • __vbaStrCopy.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043EFF5
                                                              • #616.MSVBVM60(00000000,00000002,?,00000001,?,00000000,?,?,004037E6), ref: 0043F00C
                                                              • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043F017
                                                              • __vbaStrCmp.MSVBVM60(0040DF6C,00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0043F023
                                                              • __vbaFreeStr.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043F038
                                                              • __vbaStrCat.MSVBVM60(00000000,0040DF6C,?,00000001,?,00000000,?,?,004037E6), ref: 0043F058
                                                              • __vbaStrMove.MSVBVM60(?,00000001,?,00000000,?,?,004037E6), ref: 0043F063
                                                              • __vbaStrCat.MSVBVM60(?,?,?,00000001,?,00000000,?,?,004037E6), ref: 0043F07C
                                                              • #645.MSVBVM60(00000008,00000000), ref: 0043F092
                                                              • __vbaStrMove.MSVBVM60 ref: 0043F09D
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043F0A6
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 0043F0B7
                                                              • __vbaStrCat.MSVBVM60(0040654C), ref: 0043F0D7
                                                              • __vbaStrMove.MSVBVM60 ref: 0043F0E2
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0043F0ED
                                                              • __vbaStrMove.MSVBVM60 ref: 0043F0F8
                                                              • #578.MSVBVM60(00000000), ref: 0043F0FF
                                                              • _adj_fdiv_m64.MSVBVM60 ref: 0043F12E
                                                              • __vbaFpR8.MSVBVM60 ref: 0043F13D
                                                              • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0043F173
                                                              • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,004037E6), ref: 0043F199
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,004037E6), ref: 0043F1A4
                                                              • __vbaStrCat.MSVBVM60(0040654C,00000000,00000000,?,?,?,?,?,004037E6), ref: 0043F1B6
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,004037E6), ref: 0043F1C1
                                                              • __vbaStrCat.MSVBVM60(?,00000000,?,?,?,?,?,004037E6), ref: 0043F1CC
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,004037E6), ref: 0043F1D7
                                                              • #576.MSVBVM60(00000000,?,?,?,?,?,004037E6), ref: 0043F1DE
                                                              • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,004037E6), ref: 0043F1F2
                                                              • #645.MSVBVM60(0000000A,00000000), ref: 0043F235
                                                              • __vbaStrMove.MSVBVM60 ref: 0043F240
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043F249
                                                              • __vbaFreeStr.MSVBVM60(0043F287), ref: 0043F280
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$#645List$#519#576#578#616#618BstrChkstkCopyError_adj_fdiv_m64
                                                              • String ID: *.*$<:"
                                                              • API String ID: 2663026681-2996719951
                                                              • Opcode ID: a2f2e5e358e4cebea26dd45b002d81c4eb446481d3f2de7ea7c38a3bf9f74299
                                                              • Instruction ID: 4a4b25168cbeb3cacb07b28e9179edaaeee6a6826d5e64b1a065c918777f81ce
                                                              • Opcode Fuzzy Hash: a2f2e5e358e4cebea26dd45b002d81c4eb446481d3f2de7ea7c38a3bf9f74299
                                                              • Instruction Fuzzy Hash: A3A10D75900208DBDB04DFA4DA48BEEBB78FF48705F108169F802F76A4DB759949CB58
                                                              Function 00410100 Relevance: 79.1, APIs: 41, Strings: 4, Instructions: 361COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6), ref: 0041011E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004037E6), ref: 00410165
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4,?,?,?,?,004037E6), ref: 00410185
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040524C,0000001C), ref: 004101DF
                                                              • __vbaChkstk.MSVBVM60(?), ref: 00410217
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040526C,0000005C), ref: 0041026D
                                                              • __vbaStrMove.MSVBVM60 ref: 0041029E
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004050B0,00000700), ref: 004102DB
                                                              • __vbaFreeStr.MSVBVM60 ref: 004102F6
                                                              • __vbaFreeObj.MSVBVM60 ref: 004102FF
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004050B0,000006FC), ref: 0041033A
                                                              • __vbaFreeVar.MSVBVM60 ref: 00410355
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4), ref: 00410375
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040524C,0000001C), ref: 004103CF
                                                              • __vbaChkstk.MSVBVM60(00000000), ref: 00410407
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040526C,0000005C), ref: 0041045D
                                                              • __vbaStrMove.MSVBVM60 ref: 00410490
                                                              • __vbaFreeObj.MSVBVM60 ref: 00410499
                                                              • __vbaStrCmp.MSVBVM60(00000000,03A7E594), ref: 004104B4
                                                              • __vbaStrCopy.MSVBVM60 ref: 004104D1
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 004104E5
                                                              • __vbaStrCopy.MSVBVM60 ref: 004104F3
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00410507
                                                              • __vbaStrCopy.MSVBVM60 ref: 00410515
                                                              • __vbaStrMove.MSVBVM60 ref: 00410534
                                                              • __vbaStrCopy.MSVBVM60 ref: 00410542
                                                              • __vbaStrMove.MSVBVM60 ref: 00410561
                                                              • __vbaStrCat.MSVBVM60(00405C14,0081C8FC), ref: 00410573
                                                              • __vbaStrMove.MSVBVM60 ref: 0041057E
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00410597
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0041059E
                                                              • __vbaStrMove.MSVBVM60 ref: 004105A9
                                                              • __vbaStrCat.MSVBVM60(03A7E594,00000000), ref: 004105B7
                                                              • __vbaStrMove.MSVBVM60 ref: 004105C2
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004105DB
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004105E2
                                                              • __vbaStrMove.MSVBVM60 ref: 004105ED
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000), ref: 004105F9
                                                              • __vbaStrMove.MSVBVM60 ref: 00410606
                                                              • __vbaFreeStrList.MSVBVM60(0000000E,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00410646
                                                              • __vbaStrCopy.MSVBVM60 ref: 00410661
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$CheckCopyHresult$Chkstk$#516#631BstrListNew2$#608Error
                                                              • String ID: 2204072C3B32241401302D6F4B$58642C3109111F15262E312207$cfZwrEXOWio$tyGKekpkUStpSwyFwEJyNYIr
                                                              • API String ID: 2736599679-1374297910
                                                              • Opcode ID: 37be2078fbe53fbe2e8e0efcbd529687a6dc474cb32dbcc05d9332b8366c8b36
                                                              • Instruction ID: 84336a092652031b4187f40eb1aad2fa48bc9fc1ec466f56680e69d227c6e2f4
                                                              • Opcode Fuzzy Hash: 37be2078fbe53fbe2e8e0efcbd529687a6dc474cb32dbcc05d9332b8366c8b36
                                                              • Instruction Fuzzy Hash: 53F10CB5900218DFDB14DFA4C988BDEBBB5FF48304F1081A9E50AB72A0DB745A85CF64
                                                              Function 00441700 Relevance: 79.0, APIs: 41, Strings: 4, Instructions: 274COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #645.MSVBVM60(?,00000010,?,00000000), ref: 0044175F
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 00441770
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000,?,00000000), ref: 00441778
                                                              • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0044178B
                                                              • __vbaNew2.MSVBVM60(0040E918,?,?,00000000), ref: 004417AA
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E928,00000054,?,00000000), ref: 004417D4
                                                              • __vbaCastObj.MSVBVM60(?,0040E938,?,00000000), ref: 004417E3
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 004417F4
                                                              • __vbaFreeObj.MSVBVM60(?,00000000), ref: 004417F9
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E938,00000068,?,00000000), ref: 0044181E
                                                              • __vbaObjSet.MSVBVM60(?,?,?,00000000), ref: 0044182F
                                                              • __vbaForEachCollObj.MSVBVM60(0040E948,?,?,00000000,?,00000000), ref: 0044183F
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E948,00000020,?,00000000), ref: 0044186C
                                                              • __vbaInStr.MSVBVM60(00000000,.log,?,00000001,?,00000000), ref: 0044187E
                                                              • __vbaFreeStr.MSVBVM60(?,00000000), ref: 00441891
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E948,0000001C,?,00000000), ref: 004418BF
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 004418CE
                                                                • Part of subcall function 004362D0: __vbaChkstk.MSVBVM60(?,004037E6,?,?,00000000,?,?,004037E6), ref: 004362EE
                                                                • Part of subcall function 004362D0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043631E
                                                                • Part of subcall function 004362D0: #645.MSVBVM60(00004008,00000000), ref: 0043633E
                                                                • Part of subcall function 004362D0: __vbaStrMove.MSVBVM60 ref: 00436349
                                                                • Part of subcall function 004362D0: __vbaLenBstrB.MSVBVM60(00000000), ref: 00436350
                                                                • Part of subcall function 004362D0: __vbaFreeStr.MSVBVM60 ref: 00436366
                                                                • Part of subcall function 004362D0: #648.MSVBVM60(0000000A), ref: 00436391
                                                                • Part of subcall function 004362D0: __vbaFreeVar.MSVBVM60 ref: 0043639E
                                                                • Part of subcall function 004362D0: __vbaFileOpen.MSVBVM60(00000020,000000FF,00000000,00000000), ref: 004363BA
                                                                • Part of subcall function 004362D0: #570.MSVBVM60(00000000), ref: 004363CC
                                                                • Part of subcall function 004362D0: #525.MSVBVM60(00000000), ref: 004363D3
                                                                • Part of subcall function 004362D0: __vbaStrMove.MSVBVM60 ref: 004363DE
                                                                • Part of subcall function 004362D0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004363F6
                                                                • Part of subcall function 004362D0: __vbaFileClose.MSVBVM60(00000000), ref: 00436408
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004418DE
                                                              • __vbaFreeStr.MSVBVM60(?,00000000), ref: 004418E3
                                                                • Part of subcall function 0042DFD0: __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,0042C195,?,00000000), ref: 0042DFEE
                                                                • Part of subcall function 0042DFD0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E01B
                                                                • Part of subcall function 0042DFD0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E027
                                                                • Part of subcall function 0042DFD0: __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E033
                                                                • Part of subcall function 0042DFD0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0042E042
                                                                • Part of subcall function 0042DFD0: __vbaInStr.MSVBVM60(00000000,00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0042E05B
                                                                • Part of subcall function 0042DFD0: __vbaInStr.MSVBVM60(00000000,?,?,00000001,?,00000000,?,?,004037E6), ref: 0042E06F
                                                                • Part of subcall function 0042DFD0: __vbaInStr.MSVBVM60(00000000,00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0042E099
                                                                • Part of subcall function 0042DFD0: __vbaVarMove.MSVBVM60 ref: 0042E0B5
                                                                • Part of subcall function 0042DFD0: __vbaInStr.MSVBVM60(00000000,?,?,00000001), ref: 0042E0CE
                                                                • Part of subcall function 0042DFD0: __vbaI2I4.MSVBVM60 ref: 0042E0D6
                                                                • Part of subcall function 0042DFD0: __vbaVarSub.MSVBVM60(?,?,00000002), ref: 0042E108
                                                                • Part of subcall function 0042DFD0: __vbaVarMove.MSVBVM60 ref: 0042E113
                                                                • Part of subcall function 0042DFD0: __vbaI4Var.MSVBVM60(?,?), ref: 0042E134
                                                              • __vbaStrMove.MSVBVM60(?,vault,"},"MetaMetricsController,?,00000000), ref: 00441901
                                                              • __vbaStrMove.MSVBVM60(vault":",00405E48,00000001,000000FF,00000000,?,00000000), ref: 0044191B
                                                              • #712.MSVBVM60(00000000,?,00000000), ref: 0044191E
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 00441929
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00441935
                                                              • __vbaNextEachCollObj.MSVBVM60(0040E948,?,?,?,00000000), ref: 0044194B
                                                              • __vbaCastObj.MSVBVM60(00000000,0040E948,?,00000000), ref: 00441962
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0044196D
                                                              • __vbaCastObj.MSVBVM60(00000000,0040E938,?,00000000), ref: 00441975
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 00441980
                                                              • __vbaCastObj.MSVBVM60(00000000,0040E908,?,00000000), ref: 00441988
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 00441993
                                                              • __vbaStrCmp.MSVBVM60(00405E48,?,?,00000000), ref: 0044199E
                                                              • #712.MSVBVM60(?,0040654C,00405E48,00000001,000000FF,00000000,?,00000000), ref: 004419BB
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 004419C6
                                                              • __vbaFreeStr.MSVBVM60(004411B2,?,?,00000000), ref: 004419D8
                                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?,00441A4C,?,00000000), ref: 00441A1B
                                                              • __vbaFreeStr.MSVBVM60 ref: 00441A27
                                                              • __vbaFreeObj.MSVBVM60 ref: 00441A36
                                                              • __vbaFreeObj.MSVBVM60 ref: 00441A3B
                                                              • __vbaFreeVar.MSVBVM60 ref: 00441A40
                                                              • __vbaFreeObj.MSVBVM60 ref: 00441A49
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$Move$CastCheckHresult$Copy$#645#712ChkstkCollEachErrorFileList$#525#570#648BstrCloseGet3New2NextOpen
                                                              • String ID: "},"MetaMetricsController$.log$vault$vault":"
                                                              • API String ID: 1097575717-653149892
                                                              • Opcode ID: ca89f7678feccb9f568a38ce9e5b410b1920581ad897754356252465a9dd1895
                                                              • Instruction ID: 0c3c9a8403ac8dea97eb576c9ddc188ab9b6d812e337dc7b0bfdad38c1832060
                                                              • Opcode Fuzzy Hash: ca89f7678feccb9f568a38ce9e5b410b1920581ad897754356252465a9dd1895
                                                              • Instruction Fuzzy Hash: 27A14DB1900208AFDB04DFA4DD89DEEBBB8FB88705F104529F506F72A0DB746946CB64
                                                              Function 00445870 Relevance: 63.3, APIs: 32, Strings: 4, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004458CA
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004458E0
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004458EA
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 004458F5
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00445909
                                                                • Part of subcall function 0043D2F0: __vbaFixstrConstruct.MSVBVM60(00000100,?,6D41D8B1,6D41D83C,00000000), ref: 0043D33C
                                                                • Part of subcall function 0043D2F0: __vbaNew2.MSVBVM60(0040525C,004476B4), ref: 0043D354
                                                                • Part of subcall function 0043D2F0: __vbaHresultCheckObj.MSVBVM60(00000000,0298004C,0040524C,00000014), ref: 0043D379
                                                                • Part of subcall function 0043D2F0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DB1C,00000060), ref: 0043D39D
                                                                • Part of subcall function 0043D2F0: __vbaStrToAnsi.MSVBVM60(?,?,00000001,00000000,00000000,00000000), ref: 0043D3B0
                                                                • Part of subcall function 0043D2F0: __vbaSetSystemError.MSVBVM60(00000000), ref: 0043D3C4
                                                                • Part of subcall function 0043D2F0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043D3D6
                                                                • Part of subcall function 0043D2F0: __vbaFreeObj.MSVBVM60 ref: 0043D3DE
                                                                • Part of subcall function 0043D2F0: __vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,04000000,00000000), ref: 0043D3FD
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00445919
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000), ref: 00445931
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 0044593E
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0044595B
                                                              • __vbaNew2.MSVBVM60(0040D850,?), ref: 00445971
                                                              • __vbaNew2.MSVBVM60(0040D850,?), ref: 0044598A
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D840,00000024), ref: 004459AE
                                                              • __vbaStrCopy.MSVBVM60 ref: 004459E9
                                                              • __vbaStrMove.MSVBVM60(?), ref: 004459F9
                                                              • __vbaStrCopy.MSVBVM60 ref: 00445A03
                                                              • __vbaStrMove.MSVBVM60 ref: 00445A0E
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00445A22
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00445A32
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 00445A4A
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 00445A57
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 00445A74
                                                              • __vbaNew2.MSVBVM60(0040D850,?), ref: 00445A8A
                                                              • __vbaNew2.MSVBVM60(0040D850,?), ref: 00445AA3
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D840,00000024), ref: 00445AC7
                                                                • Part of subcall function 00445550: __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,?,00445A6F,?,00000000), ref: 0044556E
                                                                • Part of subcall function 00445550: __vbaOnError.MSVBVM60(00000001,6D41D8B1,6D41D83C,00000000,00000000,004037E6), ref: 0044559E
                                                                • Part of subcall function 00445550: __vbaInStr.MSVBVM60(00000000,0040651C,?,00000001), ref: 004455C1
                                                                • Part of subcall function 00445550: __vbaNew.MSVBVM60(0040D850,?,00000001), ref: 004455D6
                                                                • Part of subcall function 00445550: __vbaObjSet.MSVBVM60(?,00000000,?,00000001), ref: 004455E1
                                                                • Part of subcall function 00445550: #631.MSVBVM60(?,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00445681
                                                                • Part of subcall function 00445550: __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000), ref: 0044568C
                                                                • Part of subcall function 00445550: __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 00445695
                                                                • Part of subcall function 00445550: __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 004456A6
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D840,0000001C), ref: 00445AFA
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00445B04
                                                              • __vbaStrMove.MSVBVM60 ref: 00445B0F
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 00445B1B
                                                              • __vbaCastObj.MSVBVM60(00000000,0040D840), ref: 00445B2A
                                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00445B35
                                                              • __vbaFreeObj.MSVBVM60(00445B94), ref: 00445B84
                                                              • __vbaFreeStr.MSVBVM60 ref: 00445B8D
                                                              Strings
                                                              • 25313B366B5B573505137E2B28212627321B142E170335682E2A2269381A0C27000A353262303B2F3D1D0C2B17177F35252A386B380456311A103D2A, xrefs: 004459E1
                                                              • MpONUJuVDANGqQpTnhXfepVjqtyveYrc, xrefs: 004458E2
                                                              • FMEOFQtxBrdP, xrefs: 004459FB
                                                              • 183B3A25705A793729213018215E3A0B1C, xrefs: 004458A1
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Bstr$CheckHresultListNew2$Copy$#631$#516AnsiError$#537#608#632CastChkstkConstructFixstrSystem
                                                              • String ID: 183B3A25705A793729213018215E3A0B1C$25313B366B5B573505137E2B28212627321B142E170335682E2A2269381A0C27000A353262303B2F3D1D0C2B17177F35252A386B380456311A103D2A$FMEOFQtxBrdP$MpONUJuVDANGqQpTnhXfepVjqtyveYrc
                                                              • API String ID: 506135884-1689223711
                                                              • Opcode ID: 2d78e0e1b3ec841918fa8316bb97665384f967991f5d0fe4a79d5a3c4bc799c8
                                                              • Instruction ID: 014459d934e2965cca071c35e77c56aee6c78b501d0724bb1db3445822743b6f
                                                              • Opcode Fuzzy Hash: 2d78e0e1b3ec841918fa8316bb97665384f967991f5d0fe4a79d5a3c4bc799c8
                                                              • Instruction Fuzzy Hash: 61A1E9B1D00208ABDF04EFA4DD85DEEBBB9FF58304F10452AE502B7255DB74A949CB64
                                                              Function 0043CEB0 Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 254COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,?,?,0043ED36,00000000), ref: 0043CECE
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0043CEFB
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 0043CF0A
                                                              • __vbaNew.MSVBVM60(0040D850,?,00000000,?,00000000,004037E6), ref: 0043CF1C
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004037E6), ref: 0043CF27
                                                              • __vbaStrCat.MSVBVM60(\*.*,00000000,?,00000000,?,00000000,004037E6), ref: 0043CF3D
                                                              • #645.MSVBVM60(00000008,00000017), ref: 0043CF53
                                                              • __vbaStrMove.MSVBVM60 ref: 0043CF5E
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043CF67
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 0043CF78
                                                              • __vbaStrCmp.MSVBVM60(0040D734,?), ref: 0043CF96
                                                              • __vbaStrCmp.MSVBVM60(0040651C,?), ref: 0043CFAC
                                                              • __vbaStrCat.MSVBVM60(0040654C,00000000), ref: 0043CFFB
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D006
                                                              • __vbaStrCat.MSVBVM60(?,00000000), ref: 0043D011
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D840,00000020), ref: 0043D060
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043D07B
                                                              • __vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A), ref: 0043D093
                                                              • #645.MSVBVM60(0000000A,00000000), ref: 0043D0B7
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D0C2
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043D0CB
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D840,00000024), ref: 0043D113
                                                              • __vbaI2I4.MSVBVM60 ref: 0043D131
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D840,0000001C), ref: 0043D1C6
                                                              • __vbaStrVarMove.MSVBVM60(00000008), ref: 0043D1E2
                                                              • __vbaStrMove.MSVBVM60 ref: 0043D1ED
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043D1F6
                                                              • #579.MSVBVM60(?), ref: 0043D207
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$FreeMove$CheckHresult$#645$#579BstrChkstkCopyErrorList
                                                              • String ID: \*.*
                                                              • API String ID: 2067065791-1173974218
                                                              • Opcode ID: baffd1e6d2d5ca04b3676f7cee9bbebe749802c8c4f98237713ae0bbd9b52472
                                                              • Instruction ID: 2274efcf56e1cb1a4d50667cd6e5d8b7f583bd9767c3b700982acd553d62924a
                                                              • Opcode Fuzzy Hash: baffd1e6d2d5ca04b3676f7cee9bbebe749802c8c4f98237713ae0bbd9b52472
                                                              • Instruction Fuzzy Hash: 1DC1E7B1D00218EFDB14DFA0DA48BDEBBB4FB48704F108169E606B72A0D7785A49CF65
                                                              Function 00404E07 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 349COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00410AAE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6), ref: 00410AF5
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4,?,?,?,00000000,004037E6), ref: 00410B2A
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040524C,00000018), ref: 00410B7B
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405E7C,00000098), ref: 00410BC9
                                                              • __vbaNew2.MSVBVM60(0040525C,004476B4), ref: 00410BF4
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040524C,00000018), ref: 00410C45
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00405E7C,00000080), ref: 00410C93
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$CheckHresult$New2$ChkstkError
                                                              • String ID: .BMP$;$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$\Screenshot
                                                              • API String ID: 945047687-1579816155
                                                              • Opcode ID: e2098a8c1bdccad7034f5d6503a9d71bc2c44837ece8618c15b48b8bf0eee9e3
                                                              • Instruction ID: c7cb9a2fcdaa54c04e8f179177e7c13c7f98b8b917610db44c516d9e34e18c10
                                                              • Opcode Fuzzy Hash: e2098a8c1bdccad7034f5d6503a9d71bc2c44837ece8618c15b48b8bf0eee9e3
                                                              • Instruction Fuzzy Hash: 93E12B75900618DFDB14DFA4C948FDEBBB5FB48304F10819AE60AB72A0DB745986CF58
                                                              Function 00436460 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 153COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,?,00000000,004037E6), ref: 0043647E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,004037E6), ref: 004364AE
                                                              • __vbaStrCat.MSVBVM60(0040654C,00778314,?,?,?,?,004037E6), ref: 004364CD
                                                              • #645.MSVBVM60(00000008,00000000), ref: 004364E3
                                                              • __vbaVarMove.MSVBVM60 ref: 004364F9
                                                              • __vbaFreeVar.MSVBVM60 ref: 00436502
                                                              • __vbaVarTstGt.MSVBVM60(00008008,?), ref: 0043652E
                                                              • __vbaInStrVar.MSVBVM60(00000008,00000000,00000008,?,00000001), ref: 0043656E
                                                              • __vbaBoolVarNull.MSVBVM60(00000000), ref: 00436575
                                                              • __vbaFreeVar.MSVBVM60 ref: 00436585
                                                              • __vbaStrCat.MSVBVM60(0040654C,00778314), ref: 004365AD
                                                              • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 004365C9
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004365D0
                                                              • __vbaStrMove.MSVBVM60 ref: 004365DB
                                                              • __vbaVarAdd.MSVBVM60(0000000A,?,00000008), ref: 00436604
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043660B
                                                              • __vbaStrMove.MSVBVM60 ref: 00436616
                                                              • __vbaStrCopy.MSVBVM60 ref: 00436624
                                                              • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,?,?), ref: 00436649
                                                              • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,004037E6), ref: 00436660
                                                              • #645.MSVBVM60(0000000A,00000000), ref: 00436684
                                                              • __vbaVarMove.MSVBVM60 ref: 0043669A
                                                              • __vbaFreeVar.MSVBVM60 ref: 004366A3
                                                              • __vbaFreeVar.MSVBVM60(00436701), ref: 004366FA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$FreeMove$#645List$BoolChkstkCopyErrorNull
                                                              • String ID: DC-
                                                              • API String ID: 3297433690-374979773
                                                              • Opcode ID: b8be58f0a60747511ab27ddb3dfc3c7f2c6593f91be87ea2c39f4e9a6b9e19c0
                                                              • Instruction ID: adf544839277ac102fc3c92280a2ba0c4353bf68ca82bab8bde7185faf338a28
                                                              • Opcode Fuzzy Hash: b8be58f0a60747511ab27ddb3dfc3c7f2c6593f91be87ea2c39f4e9a6b9e19c0
                                                              • Instruction Fuzzy Hash: 3A61E4B5C01208EBDB00DFD0DA48BDEBBB8FB48305F108569E556BB2A4DB745A49CF64
                                                              Function 004433A0 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 004433BE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 004433EE
                                                                • Part of subcall function 00443530: __vbaChkstk.MSVBVM60(00000000,004037E6,00443400,?,00000000,?,00000000,004037E6), ref: 0044354E
                                                                • Part of subcall function 00443530: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6,00443400), ref: 0044357E
                                                                • Part of subcall function 00443530: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6,00443400), ref: 00443596
                                                                • Part of subcall function 00443530: __vbaStrMove.MSVBVM60(?,?,00000000,?,00000000,004037E6,00443400), ref: 004435B0
                                                                • Part of subcall function 00443530: __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6,00443400), ref: 004435C1
                                                                • Part of subcall function 00443530: __vbaStrMove.MSVBVM60 ref: 004435E9
                                                                • Part of subcall function 00443530: #666.MSVBVM60(?,00000008,?,?,?,?,?,?), ref: 00443620
                                                                • Part of subcall function 00443530: __vbaVarAdd.MSVBVM60(?,00000008,?), ref: 0044364F
                                                                • Part of subcall function 00443530: __vbaStrVarMove.MSVBVM60(00000000), ref: 00443656
                                                                • Part of subcall function 00443530: __vbaStrMove.MSVBVM60 ref: 00443661
                                                                • Part of subcall function 00443530: __vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 00443685
                                                                • Part of subcall function 00443530: __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000,?,00000000,004037E6,00443400), ref: 004436A5
                                                                • Part of subcall function 00443530: #645.MSVBVM60(00004008,00000010), ref: 004436D1
                                                                • Part of subcall function 00443530: __vbaStrMove.MSVBVM60 ref: 004436DF
                                                                • Part of subcall function 00443530: __vbaStrCmp.MSVBVM60(00405E48,00000000), ref: 004436EB
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 00443407
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000,?,00000000,?,00000000,004037E6), ref: 0044341F
                                                              • __vbaStrCat.MSVBVM60(\ThunderBirdContacts.txt,00778314,?,00000000,?,00000000,004037E6), ref: 0044343C
                                                              • __vbaFreeStr.MSVBVM60(?,00447054,?,00000000,?,00000000,004037E6), ref: 0044345E
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 00443475
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 00443447
                                                                • Part of subcall function 0043C3E0: __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,0041C10F,?,00447038), ref: 0043C3FE
                                                                • Part of subcall function 0043C3E0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043C42E
                                                                • Part of subcall function 0043C3E0: #648.MSVBVM60(0000000A), ref: 0043C454
                                                                • Part of subcall function 0043C3E0: __vbaFreeVar.MSVBVM60 ref: 0043C461
                                                                • Part of subcall function 0043C3E0: __vbaFileOpen.MSVBVM60(00000220,000000FF,?), ref: 0043C480
                                                                • Part of subcall function 0043C3E0: __vbaPut3.MSVBVM60(00000000,00000000,?), ref: 0043C498
                                                                • Part of subcall function 0043C3E0: __vbaFileClose.MSVBVM60(?), ref: 0043C4AA
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0044348E
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000,?,00000000,?,00000000,004037E6), ref: 004434A6
                                                              • __vbaStrCat.MSVBVM60(\163MailContacts.txt,00778314,?,00000000,?,00000000,004037E6), ref: 004434C3
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 004434CE
                                                              • __vbaFreeStr.MSVBVM60(?,00447054,?,00000000,?,00000000,004037E6), ref: 004434E5
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 004434FC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$ChkstkError$FileList$#645#648#666CloseOpenPut3
                                                              • String ID: TpD$TpD$TpD$TpD$\163MailContacts.txt$\ThunderBirdContacts.txt
                                                              • API String ID: 250720439-2610928502
                                                              • Opcode ID: 1ca32fbc3b92ec2e7496241cc125d4831de198fc866697dcb7d321769ef5efe3
                                                              • Instruction ID: 975056d728fd9d7ea4ebea590bca0835293f4d242278988384be445500f68f3b
                                                              • Opcode Fuzzy Hash: 1ca32fbc3b92ec2e7496241cc125d4831de198fc866697dcb7d321769ef5efe3
                                                              • Instruction Fuzzy Hash: 89318375501204EFE700EF90CA49BDE7BB4EB48705F608069F502B72A0DB785E099F69
                                                              Function 00443130 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,?,00000000), ref: 0044317E
                                                                • Part of subcall function 00442DC0: #644.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00442E00
                                                                • Part of subcall function 00442DC0: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00442E16
                                                                • Part of subcall function 00442DC0: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00442E39
                                                                • Part of subcall function 00442DC0: #644.MSVBVM60 ref: 00442E45
                                                                • Part of subcall function 00442DC0: __vbaAryLock.MSVBVM60(?,?), ref: 00442E51
                                                                • Part of subcall function 00442DC0: __vbaGenerateBoundsError.MSVBVM60 ref: 00442E70
                                                                • Part of subcall function 00442DC0: #644.MSVBVM60(00000000), ref: 00442E8C
                                                                • Part of subcall function 00442DC0: __vbaAryUnlock.MSVBVM60(?), ref: 00442E98
                                                                • Part of subcall function 00442DC0: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 00442EB8
                                                                • Part of subcall function 00442DC0: __vbaAryMove.MSVBVM60(?,?), ref: 00442ECA
                                                              • __vbaAryMove.MSVBVM60(?,?,7@), ref: 0044319B
                                                              • __vbaLbound.MSVBVM60(00000001,?), ref: 004431A7
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 004431B5
                                                              • __vbaAryLock.MSVBVM60(?,?), ref: 004431D6
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004431F5
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00443202
                                                              • #644.MSVBVM60(00000000), ref: 00443217
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 00443220
                                                              • __vbaSetSystemError.MSVBVM60(?,?,-00000001,?,?), ref: 0044323E
                                                              • __vbaAryLock.MSVBVM60(?,?), ref: 0044324C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0044326B
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00443278
                                                              • #644.MSVBVM60(00000000), ref: 00443287
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 00443290
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,004432CC), ref: 004432C2
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004432C9
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 004432E2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$#644BoundsGenerate$LockSystemUnlock$DestructMoveRedim$LboundOverflowUbound
                                                              • String ID: 7@
                                                              • API String ID: 797121997-48919864
                                                              • Opcode ID: c1405155bde5bcb10cdac41f3301a4b7b92e720bacbeb95a9fa88900ae648124
                                                              • Instruction ID: 177a137eb3573c0578f59878a3bd6691f9e97ae374d5e250a025c2ec5a8824c1
                                                              • Opcode Fuzzy Hash: c1405155bde5bcb10cdac41f3301a4b7b92e720bacbeb95a9fa88900ae648124
                                                              • Instruction Fuzzy Hash: 52516D74D00208AFDB04DFA4D9859EEBBB9FF8C711F10815AE901B7260D7759981CBB8
                                                              Function 00404E14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0041107E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6), ref: 004110C5
                                                              • __vbaSetSystemError.MSVBVM60(000000DF), ref: 0041111E
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 00411175
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0041119E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6), ref: 004111E5
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004037E6), ref: 00411210
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,004037E6), ref: 00411224
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,00000000,004037E6), ref: 00411232
                                                              • __vbaStrMove.MSVBVM60 ref: 00411251
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00411269
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000,?,?), ref: 00411292
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 0041129E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$Move$ChkstkCopyFree$ListOverflowSystem
                                                              • String ID: ?
                                                              • API String ID: 2272671529-1684325040
                                                              • Opcode ID: 7191b712a5383981713a32328379a124ad7bef9b88b07f9129720a2d7145a76e
                                                              • Instruction ID: 01ecf01eafbc968fd0c66f3e3a0e5a9ad49e97c138c1b9a0cbf193c9a2161d19
                                                              • Opcode Fuzzy Hash: 7191b712a5383981713a32328379a124ad7bef9b88b07f9129720a2d7145a76e
                                                              • Instruction Fuzzy Hash: 7A2171B4D05244EBCB10DF94DA4579DBBB4FF08744F10C159F6146B3A0C3795A80CB99
                                                              Function 00403CFC Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: #100
                                                              • String ID:
                                                              • API String ID: 1341478452-0
                                                              • Opcode ID: 98bd0747411af376436a115ef6c0030262cd5bdb49619d9900ab7fd27539ba48
                                                              • Instruction ID: c660f2fe20ef247301e3c42d3be4b8f6915cf0ee5edb4e0fbded730a982285be
                                                              • Opcode Fuzzy Hash: 98bd0747411af376436a115ef6c0030262cd5bdb49619d9900ab7fd27539ba48
                                                              • Instruction Fuzzy Hash: FF41FD6244E7C19FD7039BB48C666827FB1AE13215B4E81EBC4C1CF1A3E219490ACB76

                                                              Non-executed Functions

                                                              Function 00430480 Relevance: 638.0, APIs: 328, Strings: 35, Instructions: 2744COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaOnError.MSVBVM60(00000001,6D4E595C,00000000,6D431654), ref: 00430507
                                                              • __vbaUbound.MSVBVM60(00000001,00000000), ref: 0043051E
                                                              • __vbaI2I4.MSVBVM60 ref: 00430522
                                                              • __vbaAryLock.MSVBVM60(?), ref: 00430542
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430566
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430577
                                                              • #573.MSVBVM60(?,00004011), ref: 00430597
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 004305A1
                                                              • __vbaVarMove.MSVBVM60 ref: 004305B0
                                                              • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 004305CF
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 004305E4
                                                              • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 004305F0
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430630
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043063E
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00430660
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 0043066F
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00430680
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 004306A9
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 004306D1
                                                              • #681.MSVBVM60(?,0000000B,00000003,00000003), ref: 004306FD
                                                              • __vbaI2Var.MSVBVM60(?), ref: 00430707
                                                              • __vbaFreeVarList.MSVBVM60(00000004,0000000B,00000003,00000003,?), ref: 00430722
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 0043074B
                                                              • __vbaAryMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 004307E0
                                                              • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 0043080A
                                                              • __vbaAryLock.MSVBVM60(?), ref: 00430820
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430851
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430862
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00430885
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004308D3
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004308E7
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 004308F8
                                                              • #681.MSVBVM60(?,0000000B,00000003,00004011), ref: 0043094A
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 00430954
                                                              • __vbaI2Var.MSVBVM60(?), ref: 0043095E
                                                              • __vbaFreeVarList.MSVBVM60(00000003,0000000B,00000003,?), ref: 00430975
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 0043099E
                                                              • __vbaStrMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 00430A40
                                                              • __vbaFreeStr.MSVBVM60(00000008,00006008), ref: 00430A80
                                                              • __vbaFreeVar.MSVBVM60 ref: 00430A89
                                                              • __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,?,00000000), ref: 00430AB9
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430AF1
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430B0C
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 00430B34
                                                              • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 00430B66
                                                              • __vbaAryLock.MSVBVM60(?), ref: 00430B7C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430BAD
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430BBE
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00430BE1
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430C2F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430C43
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00430C54
                                                              • #681.MSVBVM60(?,0000000B,00000003,00004011), ref: 00430CA6
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 00430CB0
                                                              • __vbaI2Var.MSVBVM60(?), ref: 00430CBA
                                                              • __vbaFreeVarList.MSVBVM60(00000003,0000000B,00000003,?), ref: 00430CD1
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00430CFA
                                                              • __vbaStrMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 00430D9C
                                                              • __vbaFreeStr.MSVBVM60(00000008,00006008), ref: 00430DDC
                                                              • __vbaFreeVar.MSVBVM60 ref: 00430DE5
                                                              • __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,?,00000000), ref: 00430E15
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430E4D
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430E68
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 00430E90
                                                              • __vbaVarTstEq.MSVBVM60(00008002,?), ref: 00430EC2
                                                              • __vbaAryLock.MSVBVM60(?), ref: 00430ED8
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430F09
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430F1A
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00430F3D
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430F8B
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00430F9F
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00430FB0
                                                              • #681.MSVBVM60(?,0000000B,00000003,00004011), ref: 00431002
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 0043100C
                                                              • __vbaI2Var.MSVBVM60(?), ref: 00431016
                                                              • __vbaFreeVarList.MSVBVM60(00000003,0000000B,00000003,?), ref: 0043102D
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00431056
                                                              • __vbaStrMove.MSVBVM60(?,?,?,0000000B,?,?,00000000,00004002), ref: 004310F8
                                                              • __vbaFreeStr.MSVBVM60(00000008,00006008), ref: 00431138
                                                              • __vbaFreeVar.MSVBVM60 ref: 00431141
                                                              • __vbaRedimPreserve.MSVBVM60(00000180,00000004,?,00000008,00000001,?,00000000), ref: 00431171
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004311A9
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004311C4
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 004311EC
                                                              • __vbaStrCopy.MSVBVM60 ref: 00431202
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043120B
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 00431249
                                                              • __vbaExitProc.MSVBVM60 ref: 0043124F
                                                              • __vbaFreeVar.MSVBVM60(004312C7), ref: 0043129F
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004312B4
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004312BC
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004312C4
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 004312DD
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0043130E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,6D4145C1,00000000,004037E6), ref: 0043133E
                                                              • __vbaStrMove.MSVBVM60(00000000), ref: 00431388
                                                              • #712.MSVBVM60(?,0040635C,00405E48,00000001,000000FF,00000000), ref: 004313A9
                                                              • __vbaStrMove.MSVBVM60 ref: 004313B4
                                                              • __vbaAryMove.MSVBVM60(?,?,?), ref: 004313D4
                                                              • __vbaFreeStr.MSVBVM60 ref: 004313DD
                                                              • __vbaUbound.MSVBVM60(00000001,00000000,00000000), ref: 004313FB
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000002), ref: 0043141A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$BoundsGenerate$Ubound$Free$Move$Redim$#681ListLockUnlock$DestructPreserve$#573#712ChkstkCopyExitOverflowProc
                                                              • String ID: $('@$0$062501061A122F17$161E2D0B1326230C2F1A02170506280A3F$1B2C1208283D$2221010F0D1908102100274B7F6A$2236351B002F261C537950$2A131B120511$2E2D3B361A3B2224371A07210B032B2B36$3E0E32262506000E6C4954$<pD$<pD$<pD$<pD$<pD$===============DARKCLOUD===============$BlockSize$CreateDecryptor$Item$JnJrrtsBrWkOASydDlaOUjvMAeRDjQCdb$Key$Mode$Padding$SDvcfLudmVnqpDkgfJtlobUpzklXWgWChNBMbZyZbYS$System.Security.Cryptography.RijndaelManaged$TransformFinalBlock$UnoAURirjLstwbtIVegZrKVdeQLzDpJt$Url : $acQqcdzidHoIkEJjVRTRveXnvHgFXysROQijIGKahB$bKCXDcKVASJfRxtDYRdteTctwdVJhvMReD$keySize$uspNyjVWiKOqrwhIgZdAfHxzNhSNWVXIW$wwCuaFNaNUvvv$ywEPinNKysCpaeMSnVLMtB
                                                              • API String ID: 2339242223-3257359708
                                                              • Opcode ID: bf5fe93aa39a95bd1ddb8efcbd039df82b81adda42eeb472b282e61273568719
                                                              • Instruction ID: 298e39289ec236ab046169f29428d29d9046317af0f024d53a004af3cb4a3d2b
                                                              • Opcode Fuzzy Hash: bf5fe93aa39a95bd1ddb8efcbd039df82b81adda42eeb472b282e61273568719
                                                              • Instruction Fuzzy Hash: 2A4328B5D002189FDB14DFA4CD94BEEBBB5FF48300F1081AAE50AAB291DB745A85CF54
                                                              Function 004033E4 Relevance: .5, Instructions: 467COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: afc465d53516b4c43e74c2d00ef54952fe9992bad67ced8315e2a629bdb099a5
                                                              • Instruction ID: 921d6061b2827dc628c1f5e11543a31c57024185aa7d04a0248d210a3f4289d3
                                                              • Opcode Fuzzy Hash: afc465d53516b4c43e74c2d00ef54952fe9992bad67ced8315e2a629bdb099a5
                                                              • Instruction Fuzzy Hash: C3F1BB505AE3C11FD3A38B701DBA5A67F74AD0300435E19EFC9C2CA4E7E108895AC7AB
                                                              Function 004056C8 Relevance: .0, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1166e6ad43256b00d4c001dfcd52799471681c6fee905dca9cadc86163640e9
                                                              • Instruction ID: f2df7434bebea8fbc39008520fa5093bdd79dd04f24560227b6424223a93e409
                                                              • Opcode Fuzzy Hash: f1166e6ad43256b00d4c001dfcd52799471681c6fee905dca9cadc86163640e9
                                                              • Instruction Fuzzy Hash: 6CB012143C8402ABE200AB584C0192325D0D2003C03B08C33F044E53D0CF39CD004E7E
                                                              Function 0043AA70 Relevance: 130.0, APIs: 72, Strings: 2, Instructions: 480COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043BC70: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                                • Part of subcall function 0043BC70: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                                • Part of subcall function 0043BC70: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                                • Part of subcall function 0043BC70: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • #632.MSVBVM60(?,?,?,?,00402FA8,?,6D50C2DA,00000000,?), ref: 0043AAFF
                                                              • __vbaStrVarMove.MSVBVM60(?,?,?,00402FA8,?,6D50C2DA,00000000,?), ref: 0043AB09
                                                              • __vbaStrMove.MSVBVM60(?,?,00402FA8,?,6D50C2DA,00000000,?), ref: 0043AB1A
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00402FA8,?,6D50C2DA,00000000,?), ref: 0043AB26
                                                              • __vbaLenBstr.MSVBVM60(00000000,6D50C2DA,00000000,?), ref: 0043AB44
                                                              • #632.MSVBVM60(?,00004008,?,00000002), ref: 0043AB88
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 0043AB92
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AB9D
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043ABA9
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043ABB8
                                                              • __vbaStrCmp.MSVBVM60(0040654C,?), ref: 0043ABCD
                                                              • #632.MSVBVM60(?,00004008,-00000001,00000002), ref: 0043AC0C
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 0043AC16
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AC21
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043AC2D
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043AC3F
                                                              • __vbaStrCmp.MSVBVM60(00406544,?), ref: 0043AC51
                                                              • __vbaStrCmp.MSVBVM60(0040654C,?), ref: 0043AC67
                                                              • __vbaStrCmp.MSVBVM60(00406524,?), ref: 0043AC7D
                                                              • __vbaStrCmp.MSVBVM60(00406554,?), ref: 0043AC93
                                                              • __vbaStrCmp.MSVBVM60(0040D938,?), ref: 0043ACA9
                                                              • __vbaStrCat.MSVBVM60(0040D940,?), ref: 0043ACB8
                                                              • __vbaStrMove.MSVBVM60 ref: 0043ACC3
                                                              • __vbaStrCmp.MSVBVM60(0040D930,?), ref: 0043ACD6
                                                              • __vbaStrCat.MSVBVM60(0040D948,?), ref: 0043ACE5
                                                              • __vbaStrMove.MSVBVM60 ref: 0043ACF0
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043ACFF
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0043AD13
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043AD1D
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AD30
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 0043AD4B
                                                              • __vbaStrCmp.MSVBVM60(00000000), ref: 0043AD4E
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043AD6F
                                                              • __vbaStrCat.MSVBVM60(0040D950,?), ref: 0043AD86
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AD91
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043ADB3
                                                              • __vbaStrMove.MSVBVM60(?), ref: 0043ADC3
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043ADCD
                                                              • __vbaStrMove.MSVBVM60 ref: 0043ADDC
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 0043ADF7
                                                              • __vbaStrCmp.MSVBVM60(00000000), ref: 0043ADFA
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 0043AE1F
                                                              • __vbaStrCat.MSVBVM60(0040D958,?), ref: 0043AE36
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AE41
                                                              • __vbaStrCmp.MSVBVM60(0040D928,?), ref: 0043AE67
                                                              • __vbaStrCat.MSVBVM60(004097E8,?), ref: 0043AE76
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AE81
                                                              • __vbaStrCmp.MSVBVM60(0040D960,?), ref: 0043AEA1
                                                              • #632.MSVBVM60(?,00004008,-00000001,00000002), ref: 0043AEE0
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 0043AEF0
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AEF7
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043AF03
                                                              • __vbaStrCat.MSVBVM60(?,0040D968), ref: 0043AF22
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AF2D
                                                              • #581.MSVBVM60(00000000), ref: 0043AF30
                                                              • __vbaFpI4.MSVBVM60 ref: 0043AF36
                                                              • #698.MSVBVM60(00000002,00000000), ref: 0043AF41
                                                              • __vbaVarAdd.MSVBVM60(?,00000002,00000008), ref: 0043AF53
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0043AF5A
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AF61
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043AF66
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043AF76
                                                              • __vbaStrCat.MSVBVM60(?,?), ref: 0043AF91
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AF9C
                                                              • __vbaStrCmp.MSVBVM60(?,?), ref: 0043AFAB
                                                              • __vbaStrCat.MSVBVM60(?,?), ref: 0043AFB9
                                                              • __vbaStrMove.MSVBVM60 ref: 0043AFC4
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?,0043B058), ref: 0043B039
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043B04B
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043B050
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043B055
                                                              • __vbaErrorOverflow.MSVBVM60(6D50C2DA,00000000,?), ref: 0043B06E
                                                              Strings
                                                              • AtrQTazzGGzuBsdrTZwNltkYuGvPOhds, xrefs: 0043ADC5
                                                              • FQVElVSnPClKjFGdGcxlq, xrefs: 0043AD15
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$List$#632Copy$Bstr$#516#631$#537#581#608#698ErrorOverflow
                                                              • String ID: AtrQTazzGGzuBsdrTZwNltkYuGvPOhds$FQVElVSnPClKjFGdGcxlq
                                                              • API String ID: 2359777993-2688674158
                                                              • Opcode ID: 1b4d6e6201e6f2dffb93fb0e598b00b458ce283d44d6f79c8a2ac9c31b575ff1
                                                              • Instruction ID: dd7459b43a24863b99839c8fdffea14a66d0e998085e751192c5621debdbf9d2
                                                              • Opcode Fuzzy Hash: 1b4d6e6201e6f2dffb93fb0e598b00b458ce283d44d6f79c8a2ac9c31b575ff1
                                                              • Instruction Fuzzy Hash: 81021EB19002099FDB14DFE4DC85EEEBBB9FF88304F10412AE546B7254EB74A949CB64
                                                              Function 00424EA0 Relevance: 124.7, APIs: 70, Strings: 1, Instructions: 465COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,?,?,00000000), ref: 00424EBE
                                                              • __vbaOnError.MSVBVM60(000000FF,00401F08,-00000001,6D4EEC2C,00000000,004037E6), ref: 00424EEE
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00424F0E
                                                              • __vbaVarMove.MSVBVM60 ref: 00424F2D
                                                              • __vbaLenBstr.MSVBVM60 ref: 00424F40
                                                              • __vbaStrCat.MSVBVM60(00409C14,?), ref: 00424FB0
                                                              • __vbaStrMove.MSVBVM60 ref: 00424FBE
                                                              • #631.MSVBVM60(00000002,-00000001,00000002,00000000), ref: 00424FDF
                                                              • __vbaStrMove.MSVBVM60 ref: 00424FED
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00424FF4
                                                              • __vbaStrMove.MSVBVM60 ref: 00425002
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00425018
                                                              • __vbaFreeVar.MSVBVM60 ref: 00425027
                                                              • __vbaAryMove.MSVBVM60(?,?,?), ref: 00425060
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 00425080
                                                              • __vbaRecAssign.MSVBVM60(00407134,?,?,?), ref: 004250AE
                                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 004250DA
                                                              • __vbaUI1I2.MSVBVM60 ref: 004250F0
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 00425123
                                                              • __vbaAryCopy.MSVBVM60(?,?,?), ref: 0042514F
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 0042516F
                                                              • __vbaRecAssign.MSVBVM60(00407134,?,?,?), ref: 0042519D
                                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 004251C2
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 004251F1
                                                              • __vbaRecAssign.MSVBVM60(00407134,?,?,?), ref: 0042521F
                                                              • __vbaVarMove.MSVBVM60 ref: 0042524F
                                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 00425267
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 00425284
                                                              • __vbaVarMul.MSVBVM60(00000008,00000002,?,00000003,00000000), ref: 004252C9
                                                              • __vbaVarSub.MSVBVM60(?,00000000), ref: 004252D7
                                                              • __vbaI4Var.MSVBVM60(00000000), ref: 004252DE
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000), ref: 004252F4
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 0042530D
                                                              • __vbaVarMul.MSVBVM60(?,00000002,?), ref: 0042538D
                                                              • __vbaI2Var.MSVBVM60(00000000), ref: 00425394
                                                              • __vbaVarMul.MSVBVM60(?,00000002,?,00000003), ref: 004253D0
                                                              • __vbaVarSub.MSVBVM60(?,00000000), ref: 004253DE
                                                              • __vbaVarAdd.MSVBVM60(?,00000002,00000000), ref: 004253F3
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438A1E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438A4E
                                                                • Part of subcall function 00438890: __vbaVarVargNofree.MSVBVM60 ref: 00438A6F
                                                                • Part of subcall function 00438890: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00438A7E
                                                                • Part of subcall function 00438890: __vbaI2Var.MSVBVM60(00000000), ref: 00438A85
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B0B
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B2E
                                                                • Part of subcall function 00438890: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00438B56
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B66
                                                                • Part of subcall function 00438890: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 00438B89
                                                              • __vbaFreeVar.MSVBVM60(00006011,?,00006011,00000000,00000000), ref: 00425421
                                                              • __vbaUI1I2.MSVBVM60 ref: 0042543D
                                                              • __vbaUI1I2.MSVBVM60 ref: 00425452
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 00425491
                                                                • Part of subcall function 00425720: __vbaUbound.MSVBVM60(00000001,?,00401F08,-00000001,6D4EEC2C), ref: 0042579A
                                                                • Part of subcall function 00425720: __vbaUI1I2.MSVBVM60(?,00401F08,-00000001,6D4EEC2C), ref: 004257A2
                                                                • Part of subcall function 00425720: __vbaAryCopy.MSVBVM60(?,00401FE0,?,00401F08,-00000001,6D4EEC2C), ref: 004257B0
                                                                • Part of subcall function 00425720: __vbaFreeVar.MSVBVM60(00425A0E), ref: 004259FA
                                                                • Part of subcall function 00425720: __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00425A02
                                                                • Part of subcall function 00425720: __vbaFreeVar.MSVBVM60 ref: 00425A0B
                                                              • __vbaRecAssign.MSVBVM60(00407134,?,?,?), ref: 004254BC
                                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 004254DE
                                                              • #698.MSVBVM60(?,?), ref: 0042550F
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042552A
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 00425531
                                                              • __vbaStrMove.MSVBVM60 ref: 0042553C
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425552
                                                              • __vbaStrVarVal.MSVBVM60(?,?,00405E48,00000001,000000FF,00000000), ref: 00425597
                                                              • #712.MSVBVM60(?,00000000), ref: 004255A2
                                                              • __vbaStrMove.MSVBVM60 ref: 004255AD
                                                              • __vbaFreeStr.MSVBVM60 ref: 004255B9
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?,00425702), ref: 00425626
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 00425638
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 0042564A
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 0042565C
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 0042566E
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042567D
                                                              • __vbaFreeVar.MSVBVM60 ref: 00425686
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 00425695
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042569E
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 004256AD
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 004256BC
                                                              • __vbaFreeStr.MSVBVM60 ref: 004256C5
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004256D1
                                                              • __vbaRecDestruct.MSVBVM60(00407134,?), ref: 004256E0
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004256EF
                                                              • __vbaFreeStr.MSVBVM60 ref: 004256FB
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 00425718
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Destruct$Free$Move$Copy$Chkstk$Assign$ErrorUbound$IndexList$#631#698#712BstrLoadNofreeOverflowRedimStoreVarg
                                                              • String ID: (
                                                              • API String ID: 3448099741-3887548279
                                                              • Opcode ID: 7989a972877351122fc518feb7f46e676b1c8f569fb04ac2c0d715735610db4a
                                                              • Instruction ID: cf1200032e7af01620fa9bab5de36014641311e71907d929a20530ac57e69b0d
                                                              • Opcode Fuzzy Hash: 7989a972877351122fc518feb7f46e676b1c8f569fb04ac2c0d715735610db4a
                                                              • Instruction Fuzzy Hash: 4022F8B5800259EFDB14DF90DD48BEDBBB8BB48304F1081D9E54AB72A1DB741A88CF65
                                                              Function 0043B7A0 Relevance: 108.9, APIs: 57, Strings: 5, Instructions: 380COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043BC70: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                                • Part of subcall function 0043BC70: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                                • Part of subcall function 0043BC70: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                                • Part of subcall function 0043BC70: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • __vbaLenBstr.MSVBVM60(?,/@,?,?,00000000,00000000), ref: 0043B81C
                                                              • #632.MSVBVM60(?,?,00000000,?,?,/@,?,?,00000000,00000000), ref: 0043B860
                                                              • __vbaStrVarMove.MSVBVM60(?,?,/@,?,?,00000000,00000000), ref: 0043B86A
                                                              • __vbaStrMove.MSVBVM60(?,/@,?,?,00000000,00000000), ref: 0043B875
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,/@,?,?,00000000,00000000), ref: 0043B881
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,00000000), ref: 0043B893
                                                              • __vbaStrCmp.MSVBVM60(00406544,?), ref: 0043B8AB
                                                              • #632.MSVBVM60(?,00004008,?,00000002,/@,?), ref: 0043B904
                                                              • __vbaVarTstNe.MSVBVM60(?,?,?,00000002,/@,?), ref: 0043B929
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00000002,/@,?), ref: 0043B93B
                                                              • __vbaStrCmp.MSVBVM60(00406554,?), ref: 0043B95E
                                                              • #632.MSVBVM60(?,00004008,00000000,00000002,/@,?), ref: 0043B9B7
                                                              • __vbaVarTstNe.MSVBVM60(?,?), ref: 0043B9DC
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043B9EE
                                                              • __vbaStrCmp.MSVBVM60(004064D4,?), ref: 0043BA11
                                                              • __vbaStrCat.MSVBVM60(?,?), ref: 0043BA3C
                                                              • __vbaStrMove.MSVBVM60 ref: 0043BA47
                                                              • __vbaStrCat.MSVBVM60(0040D958,00405C14,00000001), ref: 0043BA60
                                                              • __vbaStrMove.MSVBVM60 ref: 0043BA67
                                                              • __vbaStrCat.MSVBVM60(0040D950,00000000), ref: 0043BA6F
                                                              • __vbaStrMove.MSVBVM60 ref: 0043BA76
                                                              • __vbaStrCat.MSVBVM60(004097E8,00000000), ref: 0043BA7E
                                                              • __vbaStrMove.MSVBVM60 ref: 0043BA85
                                                              • __vbaStrCat.MSVBVM60(0040635C,00000000), ref: 0043BA8D
                                                              • __vbaStrMove.MSVBVM60 ref: 0043BA94
                                                              • __vbaInStr.MSVBVM60(00000000,?,00000000), ref: 0043BA9D
                                                              • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 0043BABF
                                                              • __vbaStrCat.MSVBVM60(?,?), ref: 0043BAD5
                                                              • __vbaStrMove.MSVBVM60 ref: 0043BAE0
                                                              • __vbaStrCat.MSVBVM60(Invalid Key at position ,00000000,?,?,?), ref: 0043BB06
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 0043BB0D
                                                              • __vbaStrI4.MSVBVM60(?,00000000,?,?,?), ref: 0043BB13
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,?,?), ref: 0043BB1E
                                                              • __vbaStrCat.MSVBVM60(00000000,?,00000000,?,?,?), ref: 0043BB21
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,?,?), ref: 0043BB28
                                                              • __vbaStrCat.MSVBVM60( : ,00000000,?,00000000,?,?,?), ref: 0043BB30
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,?,?), ref: 0043BB37
                                                              • __vbaStrCat.MSVBVM60(?,00000000,?,00000000,?,?,?), ref: 0043BB3E
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,?,?), ref: 0043BB45
                                                              • __vbaStrCat.MSVBVM60(00405C14,00000000,?,00000000,?,?,?), ref: 0043BB4D
                                                              • __vbaStrMove.MSVBVM60(?,00000000,?,?,?), ref: 0043BB56
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000,?,?,?), ref: 0043BBE7
                                                              • __vbaFreeStr.MSVBVM60(0043BC4E,?,/@,?,?,00000000,00000000), ref: 0043BC46
                                                              • __vbaFreeStr.MSVBVM60(?,/@,?,?,00000000,00000000), ref: 0043BC4B
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 0043BC64
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$List$#632$Bstr$CopyErrorOverflow
                                                              • String ID: : $HpD$HpD$Invalid Key at position $/@
                                                              • API String ID: 3701425030-999863498
                                                              • Opcode ID: 5438d6bd9f0b61fa905cd15ca67b2df7d31b1ebc6f794f7e171ddd832681ccfd
                                                              • Instruction ID: 35123fea3e48aa0ac95ca36b46d8bfc15b8378f163da5c19d72305b800f24b02
                                                              • Opcode Fuzzy Hash: 5438d6bd9f0b61fa905cd15ca67b2df7d31b1ebc6f794f7e171ddd832681ccfd
                                                              • Instruction Fuzzy Hash: EFD11EB1D00219AFDB14EBA4DC85EEEBBB8EF88300F10816AE505F7254EB745945CFA5
                                                              Function 00435A90 Relevance: 89.6, APIs: 45, Strings: 6, Instructions: 342COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #644.MSVBVM60(AES,6D4145C1,00000000,`)@), ref: 00435AEA
                                                              • __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00435B01
                                                              • __vbaStrCopy.MSVBVM60 ref: 00435B10
                                                              • #644.MSVBVM60(ChainingMode), ref: 00435B20
                                                              • #644.MSVBVM60(ChainingModeGCM), ref: 00435B2A
                                                              • __vbaSetSystemError.MSVBVM60(?,?,00000000,00000020,00000000), ref: 00435B3F
                                                              • __vbaAryLock.MSVBVM60(?), ref: 00435B53
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00435B72
                                                              • #644.MSVBVM60(00000000), ref: 00435B94
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 00435BA2
                                                              • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00435BAE
                                                              • __vbaSetSystemError.MSVBVM60(?,?,00000000,00000000,00000000,-00000001,?,00000000), ref: 00435BD2
                                                              • __vbaAryLock.MSVBVM60(?,?,?,00000000), ref: 00435BF8
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,00000000), ref: 00435C17
                                                              • #644.MSVBVM60(00000000,?,?,00000000), ref: 00435C33
                                                              • __vbaAryUnlock.MSVBVM60(?,?,?,00000000), ref: 00435C3B
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 00435E14
                                                              • __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00435E24
                                                              • __vbaFreeStr.MSVBVM60(00435E4A), ref: 00435E43
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$#644System$BoundsGenerateLockUnlock$CopyFreeUbound
                                                              • String ID: @$AES$BCryptOpenAlgorithmProvider$ChainingMode$ChainingModeGCM$`)@
                                                              • API String ID: 254650619-3422885896
                                                              • Opcode ID: 3e141964f0e84265af439ef0a528433d13cede21aedc68910adc68f5f056e024
                                                              • Instruction ID: 1151c310d5709d2f0cce00bde4cd2fe37c96edd953e7687009502fef676dd1f0
                                                              • Opcode Fuzzy Hash: 3e141964f0e84265af439ef0a528433d13cede21aedc68910adc68f5f056e024
                                                              • Instruction Fuzzy Hash: C2C10C74A003089FCB14DFA4DD94AAEB7B9FF48704F20952EE915AB351DB74A841CF68
                                                              Function 004248A0 Relevance: 79.0, APIs: 36, Strings: 9, Instructions: 268COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 004248BE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 004248EE
                                                              • #716.MSVBVM60(?,System.Security.Cryptography.RijndaelManaged,00000000,?,00000000,?,00000000,004037E6), ref: 0042490D
                                                              • __vbaVarSetVar.MSVBVM60(?,?,?,00000000,?,00000000,004037E6), ref: 0042491B
                                                              • __vbaChkstk.MSVBVM60 ref: 0042493E
                                                              • __vbaVarLateMemSt.MSVBVM60(?,keySize), ref: 00424968
                                                              • __vbaChkstk.MSVBVM60 ref: 0042498B
                                                              • __vbaVarLateMemSt.MSVBVM60(?,Padding), ref: 004249B5
                                                              • __vbaChkstk.MSVBVM60 ref: 004249D8
                                                              • __vbaVarLateMemSt.MSVBVM60(?,Mode), ref: 00424A02
                                                              • __vbaStrCopy.MSVBVM60 ref: 00424A17
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00424A2B
                                                              • __vbaStrCopy.MSVBVM60 ref: 00424A39
                                                              • __vbaStrMove.MSVBVM60 ref: 00424A58
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00424A70
                                                                • Part of subcall function 00424D00: #644.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00424D43
                                                                • Part of subcall function 00424D00: __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424D52
                                                                • Part of subcall function 00424D00: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424D68
                                                                • Part of subcall function 00424D00: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424D94
                                                                • Part of subcall function 00424D00: #644.MSVBVM60(00000000), ref: 00424DA0
                                                                • Part of subcall function 00424D00: __vbaAryLock.MSVBVM60(?,?), ref: 00424DAC
                                                                • Part of subcall function 00424D00: __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00424DCB
                                                                • Part of subcall function 00424D00: __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,00000000), ref: 00424DF2
                                                                • Part of subcall function 00424D00: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000), ref: 00424E06
                                                                • Part of subcall function 00424D00: __vbaAryUnlock.MSVBVM60(?), ref: 00424E10
                                                              • __vbaChkstk.MSVBVM60(?), ref: 00424A8E
                                                              • __vbaVarLateMemSt.MSVBVM60(?,Key,?), ref: 00424AB5
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00424AD1
                                                              • __vbaFreeVar.MSVBVM60(?,?,00000000,?,00000000,004037E6), ref: 00424ADD
                                                              • __vbaVarLateMemCallLd.MSVBVM60(?,?,CreateDecryptor,00000000,?,?,00000000,?,00000000,004037E6), ref: 00424B00
                                                              • __vbaVarSetVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00424B0E
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00424B4E
                                                              • __vbaChkstk.MSVBVM60 ref: 00424B72
                                                              • __vbaChkstk.MSVBVM60 ref: 00424B98
                                                              • __vbaChkstk.MSVBVM60 ref: 00424BC7
                                                              • __vbaVarLateMemCallLd.MSVBVM60(?,?,TransformFinalBlock,00000003), ref: 00424C00
                                                              • __vbaVar2Vec.MSVBVM60(?,00000000), ref: 00424C0E
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 00424C1C
                                                              • __vbaFreeVar.MSVBVM60 ref: 00424C25
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 00424C38
                                                                • Part of subcall function 004384A0: __vbaStrCopy.MSVBVM60(6D41D8B1,00000000,00000000), ref: 004384E2
                                                                • Part of subcall function 004384A0: __vbaGenerateBoundsError.MSVBVM60 ref: 00438521
                                                                • Part of subcall function 004384A0: __vbaStrUI1.MSVBVM60(?), ref: 0043853A
                                                                • Part of subcall function 004384A0: __vbaStrMove.MSVBVM60 ref: 00438545
                                                                • Part of subcall function 004384A0: __vbaStrCmp.MSVBVM60(00409C14,00000000), ref: 0043854D
                                                                • Part of subcall function 004384A0: __vbaFreeStr.MSVBVM60 ref: 00438560
                                                                • Part of subcall function 004384A0: __vbaGenerateBoundsError.MSVBVM60 ref: 00438597
                                                                • Part of subcall function 004384A0: #608.MSVBVM60(?,00000000), ref: 004385B6
                                                                • Part of subcall function 004384A0: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 004385C8
                                                                • Part of subcall function 004384A0: __vbaStrVarMove.MSVBVM60(00000000), ref: 004385CF
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00424C59
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00424CDC), ref: 00424CB7
                                                              • __vbaFreeVar.MSVBVM60 ref: 00424CC0
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00424CCC
                                                              • __vbaFreeVar.MSVBVM60 ref: 00424CD5
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 00424CF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Chkstk$Error$Late$Bstr$BoundsCopyGenerate$#516#608#631#644CallDestructListSystemUbound$#537#632#716LockOverflowRedimUnlockVar2
                                                              • String ID: 0A072116261A27213C121A193F22093C$CreateDecryptor$Key$Mode$Padding$System.Security.Cryptography.RijndaelManaged$TransformFinalBlock$fbcGlVcTWLhstPPaWXiGijQRpLIkKmjH$keySize
                                                              • API String ID: 2183829440-1930603034
                                                              • Opcode ID: ee43207b635a90778e71cb6fd0de300fe688281bfba95c5985f22c89587aa722
                                                              • Instruction ID: be3a3cb9c71aa96ba21074a0b7b64d6a3f01bf19cb55333382a973b9e742c115
                                                              • Opcode Fuzzy Hash: ee43207b635a90778e71cb6fd0de300fe688281bfba95c5985f22c89587aa722
                                                              • Instruction Fuzzy Hash: 94C104B4900208DFDB14DFA4D988B9DFBB5FB48304F10C1AEE509AB291DB75AA85CF54
                                                              Function 00435E70 Relevance: 77.3, APIs: 39, Strings: 5, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,?,00435713,00000000,?,?,?,?,?,?,?,00000000), ref: 00435E8E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 00435EBE
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 00435ED3
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 00435EE7
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 00435EF5
                                                              • __vbaStrMove.MSVBVM60 ref: 00435F14
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00435F32
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 00435F39
                                                              • __vbaStrMove.MSVBVM60 ref: 00435F44
                                                                • Part of subcall function 004362D0: __vbaChkstk.MSVBVM60(?,004037E6,?,?,00000000,?,?,004037E6), ref: 004362EE
                                                                • Part of subcall function 004362D0: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043631E
                                                                • Part of subcall function 004362D0: #645.MSVBVM60(00004008,00000000), ref: 0043633E
                                                                • Part of subcall function 004362D0: __vbaStrMove.MSVBVM60 ref: 00436349
                                                                • Part of subcall function 004362D0: __vbaLenBstrB.MSVBVM60(00000000), ref: 00436350
                                                                • Part of subcall function 004362D0: __vbaFreeStr.MSVBVM60 ref: 00436366
                                                                • Part of subcall function 004362D0: #648.MSVBVM60(0000000A), ref: 00436391
                                                                • Part of subcall function 004362D0: __vbaFreeVar.MSVBVM60 ref: 0043639E
                                                                • Part of subcall function 004362D0: __vbaFileOpen.MSVBVM60(00000020,000000FF,00000000,00000000), ref: 004363BA
                                                                • Part of subcall function 004362D0: #570.MSVBVM60(00000000), ref: 004363CC
                                                                • Part of subcall function 004362D0: #525.MSVBVM60(00000000), ref: 004363D3
                                                                • Part of subcall function 004362D0: __vbaStrMove.MSVBVM60 ref: 004363DE
                                                                • Part of subcall function 004362D0: __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004363F6
                                                                • Part of subcall function 004362D0: __vbaFileClose.MSVBVM60(00000000), ref: 00436408
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00435F58
                                                                • Part of subcall function 004395C0: __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,00000000,?,?,004037E6), ref: 004395DE
                                                                • Part of subcall function 004395C0: __vbaStrCopy.MSVBVM60(?,00000000), ref: 00439624
                                                                • Part of subcall function 004395C0: __vbaOnError.MSVBVM60(000000FF,?,00000000), ref: 00439633
                                                                • Part of subcall function 004395C0: #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0043967F
                                                                • Part of subcall function 004395C0: __vbaVarMove.MSVBVM60 ref: 0043968B
                                                                • Part of subcall function 004395C0: __vbaFreeVar.MSVBVM60 ref: 00439694
                                                                • Part of subcall function 004395C0: __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004396B7
                                                                • Part of subcall function 004395C0: __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001), ref: 004396DD
                                                                • Part of subcall function 004395C0: __vbaFreeVar.MSVBVM60(0043977F), ref: 00439778
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?), ref: 00435F6C
                                                              • __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,00000000), ref: 00435F90
                                                              • __vbaObjIs.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,004037E6), ref: 00435FA6
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,004037E6), ref: 00435FC8
                                                              • __vbaStrCmp.MSVBVM60(00405E48,00000000,?,?,?,?,00000000,?,?,004037E6), ref: 00435FD4
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,004037E6), ref: 00435FEB
                                                              • __vbaChkstk.MSVBVM60 ref: 00436031
                                                              • __vbaChkstk.MSVBVM60(Item,00000001), ref: 00436067
                                                              • __vbaLateMemCallLd.MSVBVM60(?,?,Item,00000001,Item,00000001), ref: 0043609A
                                                              • __vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004360A8
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004360B2
                                                              • __vbaStrMove.MSVBVM60 ref: 004360BD
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004360CD
                                                              • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 004360F7
                                                              • __vbaUbound.MSVBVM60(00000001,?,00000000,?,?,?,?,00000000,?,?,004037E6), ref: 0043610C
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000005,?,?,?,?,00000000,?,?,004037E6), ref: 0043612B
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 00436141
                                                              • __vbaFreeVar.MSVBVM60(00006011,00000005,00006011,00000000,00000003), ref: 004361B7
                                                              • __vbaStrCopy.MSVBVM60 ref: 004361C9
                                                              • __vbaAryMove.MSVBVM60(?,?,?,?,00000000,00000000,00000004,00000000), ref: 004361F5
                                                              • __vbaFreeStr.MSVBVM60 ref: 004361FE
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,004362AE), ref: 00436265
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00436274
                                                              • __vbaFreeObj.MSVBVM60 ref: 0043627D
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00436289
                                                              • __vbaFreeStr.MSVBVM60 ref: 00436292
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0043629E
                                                                • Part of subcall function 0043BEE0: __vbaStrCopy.MSVBVM60(6D50C2DA,00008008), ref: 0043BF19
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$ChkstkCopy$BstrDestruct$ErrorList$#516#631#632CallFileLateUbound$#525#537#570#608#645#648CloseGet3OpenRedim
                                                              • String ID: 1A0F1917250F780420241F2E$Item$encrypted_key$os_crypt$zFCvtDcXWTEkKgsxBiaCxdmgbKJnFkQjgZ
                                                              • API String ID: 676153682-1893726263
                                                              • Opcode ID: bb8a17756908b98ed173b86f045b2f328a0e43826e3a69f4c07fe70827a57e08
                                                              • Instruction ID: 80178c1f6a7ff14bdff34116ef7ab18a2975c90d42152e4aab74c4692f0aecc3
                                                              • Opcode Fuzzy Hash: bb8a17756908b98ed173b86f045b2f328a0e43826e3a69f4c07fe70827a57e08
                                                              • Instruction Fuzzy Hash: 2FC1F971900218ABDB04DFA4DD89BEEBBB9FF48305F108169F506B72A0DB745A89CF54
                                                              Function 00437B70 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 327COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00437B8E
                                                              • __vbaStrCopy.MSVBVM60(6D41D8B1,?,00000000,00000000,004037E6), ref: 00437BBB
                                                              • __vbaOnError.MSVBVM60(000000FF), ref: 00437BCA
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 00437BEF
                                                              • __vbaLbound.MSVBVM60(00000001), ref: 00437BFF
                                                              • __vbaAryLock.MSVBVM60(?), ref: 00437C2F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00437C6C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00437C86
                                                              • #644.MSVBVM60(?), ref: 00437C9F
                                                              • __vbaAryUnlock.MSVBVM60(00000000), ref: 00437CAF
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 00437D29
                                                              • #644.MSVBVM60(?), ref: 00437D3E
                                                              • __vbaSetSystemError.MSVBVM60(?,?,00000000,00000000,?,?,?), ref: 00437D88
                                                              • #685.MSVBVM60 ref: 00437DAF
                                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00437DBA
                                                              • #685.MSVBVM60 ref: 00437E0A
                                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 00437E15
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040CDD8,0000004C), ref: 00437E60
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040CDD8,00000044), ref: 00437ED3
                                                              • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00437EF5
                                                              • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00437F16
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 00437F44
                                                              • __vbaAryLock.MSVBVM60(?,?), ref: 00437F5C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00437F99
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00437FB3
                                                              • __vbaSetSystemError.MSVBVM60(?,?,?), ref: 00437FD9
                                                              • __vbaAryUnlock.MSVBVM60(00000000), ref: 00437FE3
                                                              • __vbaStrMove.MSVBVM60(?), ref: 00437FFE
                                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 00438013
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 00438029
                                                              • __vbaSetSystemError.MSVBVM60(?), ref: 0043803F
                                                              • __vbaFreeStr.MSVBVM60(004380B7), ref: 004380A4
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 004380B0
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 004380CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$BoundsGenerateSystem$Free$#644#685CheckCopyHresultListLockUnlock$BstrChkstkDestructLboundMoveOverflowRedimUbound
                                                              • String ID: 8+@
                                                              • API String ID: 2919997023-3583365571
                                                              • Opcode ID: cfe379e34ae23b681c9a99c3aad263101ab55ae0a24de2b3e94afc4af7ad9686
                                                              • Instruction ID: 0ee6484a99351f3d19439d9ac1ff3d2d5e8cd975c29297b6f72991c22f4563d9
                                                              • Opcode Fuzzy Hash: cfe379e34ae23b681c9a99c3aad263101ab55ae0a24de2b3e94afc4af7ad9686
                                                              • Instruction Fuzzy Hash: 7DE129B5900218DFDB24DF94C988BEEBBB5FF48304F108199E60ABB290DB745A85DF54
                                                              Function 00432C20 Relevance: 61.4, APIs: 33, Strings: 2, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,6D4145C1,?,?,?,?,?,?,?,?,?,?,?,6D4145C1,004037E6), ref: 00432C5F
                                                              • #573.MSVBVM60(?,?), ref: 00432C80
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00432C8C
                                                              • __vbaStrMove.MSVBVM60 ref: 00432C99
                                                              • __vbaFreeVar.MSVBVM60 ref: 00432C9E
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 00432CA8
                                                              • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000009,?), ref: 00432CC7
                                                              • #573.MSVBVM60(?,00004003), ref: 00432CE2
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00432CE8
                                                              • __vbaStrMove.MSVBVM60 ref: 00432CEF
                                                              • __vbaFreeVar.MSVBVM60 ref: 00432CF4
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 00432CFE
                                                              • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000012,?), ref: 00432D1D
                                                              • #573.MSVBVM60(?,00004003), ref: 00432D38
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00432D3E
                                                              • __vbaStrMove.MSVBVM60 ref: 00432D45
                                                              • __vbaFreeVar.MSVBVM60 ref: 00432D4A
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 00432D54
                                                              • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,0000001B,?), ref: 00432D73
                                                              • #573.MSVBVM60(?,00004003), ref: 00432D8E
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00432D94
                                                              • __vbaStrMove.MSVBVM60 ref: 00432D9B
                                                              • __vbaFreeVar.MSVBVM60 ref: 00432DA0
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 00432DAA
                                                              • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,00000024,?), ref: 00432DC9
                                                              • #573.MSVBVM60(?,00004003), ref: 00432DE4
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00432DEA
                                                              • __vbaStrMove.MSVBVM60 ref: 00432DF1
                                                              • __vbaFreeVar.MSVBVM60 ref: 00432DF6
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 00432E00
                                                              • __vbaMidStmtBstr.MSVBVM60(00000000,?,00000000,0000002D,?), ref: 00432E1B
                                                              • __vbaFreeStr.MSVBVM60(00432E4B), ref: 00432E44
                                                              • __vbaErrorOverflow.MSVBVM60(?), ref: 00432E61
                                                              Strings
                                                              • 00000000 00000000 00000000 00000000 00000000, xrefs: 00432C4B
                                                              • 7@, xrefs: 00432D23
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$BstrMove$Free$#573Stmt$CopyErrorOverflow
                                                              • String ID: 00000000 00000000 00000000 00000000 00000000$7@
                                                              • API String ID: 4201252254-3287283261
                                                              • Opcode ID: df926edd40012e63d046b542ea62979bf40f01fd67a701a9f4466f93ec7421a4
                                                              • Instruction ID: 15e9c1e25de166984e93fad4652c71abd0e7639a9e0991fa369fdcb96363b6f9
                                                              • Opcode Fuzzy Hash: df926edd40012e63d046b542ea62979bf40f01fd67a701a9f4466f93ec7421a4
                                                              • Instruction Fuzzy Hash: C661D9B5910119AFDF04DFA4DD89EEEBBB8FF48701F00412AE906B3264EB746905CB64
                                                              Function 00437570 Relevance: 58.8, APIs: 39, Instructions: 283COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaAryConstruct2.MSVBVM60(?,0040D710,00000011,?,00000000), ref: 004375CA
                                                              • __vbaAryConstruct2.MSVBVM60(?,0040D710,00000011,?,00000000), ref: 004375D7
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,00000002,?,00000000), ref: 004375F8
                                                              • __vbaUI1I4.MSVBVM60(?,00000000), ref: 00437600
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,00000002,?,00000000), ref: 00437622
                                                              • __vbaLenBstr.MSVBVM60(?,00000002,?,00000000), ref: 0043762F
                                                              • #631.MSVBVM60(?,?,?,00000002,?,00000000), ref: 00437649
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000002,?,00000000), ref: 00437654
                                                              • #516.MSVBVM60(00000000,?,?,?,00000002,?,00000000), ref: 0043765B
                                                              • __vbaUI1I2.MSVBVM60(?,?,?,00000002,?,00000000), ref: 00437663
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,00000002,?,00000000), ref: 00437672
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,00000002,?,00000000), ref: 0043767B
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 004376B9
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 004376C3
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 00437705
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 00437715
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 00437723
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 0043773A
                                                              • __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 00437765
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 004377B0
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 004377DC
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 004377EF
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 004377F9
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 0043780C
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 0043782D
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 00437837
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000000), ref: 00437868
                                                              • #631.MSVBVM60(00000002,00000001,00000002,?,?,?,00000000), ref: 00437880
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 0043788B
                                                              • #516.MSVBVM60(00000000,?,?,00000000), ref: 00437892
                                                              • #537.MSVBVM60(00000000,00000000,?,?,?,00000000), ref: 004378AB
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 004378BC
                                                              • __vbaStrCat.MSVBVM60(00000000,?,?,?,00000000), ref: 004378BF
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 004378CA
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000000), ref: 004378D6
                                                              • __vbaFreeVar.MSVBVM60(?,00000000), ref: 004378E2
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00437962,?,?,00000000), ref: 0043794B
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,00000000), ref: 0043795F
                                                              • __vbaErrorOverflow.MSVBVM60(?,?,00000000), ref: 00437978
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$BoundsGenerate$FreeMove$#516#631BstrConstruct2Destruct$#537ListOverflow
                                                              • String ID:
                                                              • API String ID: 1385572187-0
                                                              • Opcode ID: 85fc6e66aa53dbe9c6c73c711cdca63d5c3146e8ff22ec5c4ff7dd5b38f2ce66
                                                              • Instruction ID: 547ee476a022f2e63e5873f6924074a91a9ffad9856e3cbf783cf5e44e16d297
                                                              • Opcode Fuzzy Hash: 85fc6e66aa53dbe9c6c73c711cdca63d5c3146e8ff22ec5c4ff7dd5b38f2ce66
                                                              • Instruction Fuzzy Hash: 5BB1D2B5E042199FDB249FA8CD84BDDBBB5AF4D300F24416AE485A7361CB785881CF98
                                                              Function 00435540 Relevance: 58.0, APIs: 29, Strings: 4, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6), ref: 0043555E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043558E
                                                              • __vbaUbound.MSVBVM60(00000001,?,?,00000000,?,?,004037E6), ref: 004355AA
                                                                • Part of subcall function 004384A0: __vbaStrCopy.MSVBVM60(6D41D8B1,00000000,00000000), ref: 004384E2
                                                                • Part of subcall function 004384A0: __vbaGenerateBoundsError.MSVBVM60 ref: 00438521
                                                                • Part of subcall function 004384A0: __vbaStrUI1.MSVBVM60(?), ref: 0043853A
                                                                • Part of subcall function 004384A0: __vbaStrMove.MSVBVM60 ref: 00438545
                                                                • Part of subcall function 004384A0: __vbaStrCmp.MSVBVM60(00409C14,00000000), ref: 0043854D
                                                                • Part of subcall function 004384A0: __vbaFreeStr.MSVBVM60 ref: 00438560
                                                                • Part of subcall function 004384A0: __vbaGenerateBoundsError.MSVBVM60 ref: 00438597
                                                                • Part of subcall function 004384A0: #608.MSVBVM60(?,00000000), ref: 004385B6
                                                                • Part of subcall function 004384A0: __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 004385C8
                                                                • Part of subcall function 004384A0: __vbaStrVarMove.MSVBVM60(00000000), ref: 004385CF
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,004037E6), ref: 004355C5
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 004355DA
                                                                • Part of subcall function 00438890: __vbaLenBstr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 004388D6
                                                                • Part of subcall function 00438890: #632.MSVBVM60(?,?,?,?), ref: 00438932
                                                                • Part of subcall function 00438890: __vbaVarCat.MSVBVM60(?,?,00000008,?), ref: 00438948
                                                                • Part of subcall function 00438890: __vbaI4ErrVar.MSVBVM60(00000000), ref: 0043894F
                                                                • Part of subcall function 00438890: #537.MSVBVM60(00000000), ref: 00438956
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438961
                                                                • Part of subcall function 00438890: __vbaStrCat.MSVBVM60(00000000), ref: 00438964
                                                                • Part of subcall function 00438890: __vbaStrMove.MSVBVM60(?,6D40E251,`,@,00000000), ref: 0043896B
                                                                • Part of subcall function 00438890: __vbaFreeStr.MSVBVM60(?,6D40E251,`,@,00000000), ref: 00438970
                                                                • Part of subcall function 00438890: __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00438988
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,?,004037E6), ref: 004355EE
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 004355FC
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000,?,?,004037E6), ref: 00435610
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 0043561E
                                                              • __vbaStrMove.MSVBVM60 ref: 00435637
                                                              • __vbaStrCopy.MSVBVM60 ref: 00435645
                                                              • __vbaStrMove.MSVBVM60 ref: 00435664
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?), ref: 00437A19
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                                • Part of subcall function 004379A0: __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                                • Part of subcall function 004379A0: #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                                • Part of subcall function 004379A0: #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                                • Part of subcall function 004379A0: __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                                • Part of subcall function 004379A0: #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                                • Part of subcall function 004379A0: __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                                • Part of subcall function 004379A0: __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                                • Part of subcall function 004379A0: __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,00000001), ref: 00435682
                                                              • __vbaInStr.MSVBVM60(00000000,00000000), ref: 0043568B
                                                                • Part of subcall function 004379A0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                                • Part of subcall function 004379A0: __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                                • Part of subcall function 004379A0: __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,00000001), ref: 004356AB
                                                              • __vbaInStr.MSVBVM60(00000000,00000000), ref: 004356B4
                                                              • __vbaFreeStrList.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,00000000,?), ref: 004356F2
                                                              • __vbaAryMove.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 0043571E
                                                                • Part of subcall function 00435860: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000000B,00000000,?,00000000), ref: 004358B8
                                                                • Part of subcall function 00435860: __vbaUbound.MSVBVM60(00000001,?), ref: 004358CD
                                                                • Part of subcall function 00435860: __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0043591C
                                                                • Part of subcall function 00435860: __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00435928
                                                                • Part of subcall function 00435860: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-0000001F,?,00000000), ref: 0043594C
                                                                • Part of subcall function 00435860: __vbaUbound.MSVBVM60(00000001,?), ref: 0043595B
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 0043573D
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 00435751
                                                              • __vbaAryMove.MSVBVM60(?,?,?,?,00000000,00000000,00000004,00000000,?,?,?,?,?,?,?,00000000), ref: 00435777
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 00435780
                                                              • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 00435793
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 004357AE
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,0043583C,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 00435808
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 00435814
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 0043581D
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 00435829
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00000000,?,?,004037E6), ref: 00435835
                                                                • Part of subcall function 00435E70: __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,?,00435713,00000000,?,?,?,?,?,?,?,00000000), ref: 00435E8E
                                                                • Part of subcall function 00435E70: __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 00435EBE
                                                                • Part of subcall function 00435E70: __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 00435ED3
                                                                • Part of subcall function 00435E70: __vbaStrMove.MSVBVM60(?,?,00000000,?,?,004037E6), ref: 00435EE7
                                                                • Part of subcall function 00435E70: __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 00435EF5
                                                                • Part of subcall function 00435E70: __vbaStrMove.MSVBVM60 ref: 00435F14
                                                                • Part of subcall function 00435E70: __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00435F32
                                                                • Part of subcall function 00435E70: __vbaStrCat.MSVBVM60(00000000), ref: 00435F39
                                                                • Part of subcall function 00435E70: __vbaStrMove.MSVBVM60 ref: 00435F44
                                                                • Part of subcall function 00435E70: __vbaStrMove.MSVBVM60(?), ref: 00435F58
                                                                • Part of subcall function 00435E70: __vbaObjSet.MSVBVM60(?,00000000,?), ref: 00435F6C
                                                                • Part of subcall function 00435E70: __vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,00000000), ref: 00435F90
                                                                • Part of subcall function 00435E70: __vbaObjIs.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,004037E6), ref: 00435FA6
                                                                • Part of subcall function 00435E70: __vbaStrMove.MSVBVM60(?,?,?,?,00000000,?,?,004037E6), ref: 00435FC8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$Copy$Ubound$DestructErrorList$Bstr$#516#608#631BoundsChkstkGenerateRedim$#537#632
                                                              • String ID: 047778$254751$LSvaLSIOiCO$VrFIIhuTxEJDgJvDKDmSLWijIGOIJAwTCJbiOOEhjL
                                                              • API String ID: 1910222529-3553673661
                                                              • Opcode ID: 98627a8ca95613974f333a875f37cbc46b31d1ed8652d4ae8cc2d676bd5eb58d
                                                              • Instruction ID: 85bdafdd8d37e0f04c57e264eec57130674d926ab6d26e5fa8792a9a63163feb
                                                              • Opcode Fuzzy Hash: 98627a8ca95613974f333a875f37cbc46b31d1ed8652d4ae8cc2d676bd5eb58d
                                                              • Instruction Fuzzy Hash: 6791BA75900208ABDB04EFD0DD49FDEBBB9BF48705F10812AF502BB1A4EB745A49CB54
                                                              Function 004346F0 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 292COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,004339EE,?,?,?), ref: 0043470E
                                                              • __vbaOnError.MSVBVM60(000000FF,00000000,-00000001,6D4145C1,?,004037E6), ref: 0043473E
                                                              • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00434755
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000004,?,00000000), ref: 00434774
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 0043478C
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438A1E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438A4E
                                                                • Part of subcall function 00438890: __vbaVarVargNofree.MSVBVM60 ref: 00438A6F
                                                                • Part of subcall function 00438890: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00438A7E
                                                                • Part of subcall function 00438890: __vbaI2Var.MSVBVM60(00000000), ref: 00438A85
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B0B
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B2E
                                                                • Part of subcall function 00438890: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00438B56
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B66
                                                                • Part of subcall function 00438890: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 00438B89
                                                              • __vbaFreeVar.MSVBVM60(00006011,00000000,00006011,00000000,00000003), ref: 004347F3
                                                                • Part of subcall function 00434640: __vbaStrCopy.MSVBVM60(?,?,00000000), ref: 0043467F
                                                                • Part of subcall function 00434640: __vbaAryMove.MSVBVM60(?,?,?), ref: 00434699
                                                                • Part of subcall function 00434640: __vbaFreeStr.MSVBVM60 ref: 004346A2
                                                                • Part of subcall function 00434640: __vbaAryDestruct.MSVBVM60(00000000,?,004346D8), ref: 004346D1
                                                              • __vbaAryMove.MSVBVM60(?,?,00000000), ref: 0043481F
                                                              • __vbaUbound.MSVBVM60(00000001), ref: 0043483B
                                                              • __vbaI2I4.MSVBVM60 ref: 0043484C
                                                                • Part of subcall function 00438890: __vbaFreeVar.MSVBVM60 ref: 00438B95
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00002011,00000002,00002011,00000000,00006011,00000000,00000002), ref: 004348BE
                                                              • __vbaErase.MSVBVM60(00000000,?), ref: 004348D0
                                                              • __vbaStrCopy.MSVBVM60 ref: 004348E5
                                                                • Part of subcall function 00434C10: __vbaAryConstruct2.MSVBVM60(?,0040CED8,00000011,00000000,-00000001,6D4145C1), ref: 00434CF4
                                                                • Part of subcall function 00434C10: #527.MSVBVM60(00000000), ref: 00434D00
                                                                • Part of subcall function 00434C10: __vbaStrMove.MSVBVM60 ref: 00434D0E
                                                                • Part of subcall function 00434C10: __vbaStrCmp.MSVBVM60(SHA256,?), ref: 00434D26
                                                                • Part of subcall function 00434C10: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000018,F0000000), ref: 00434DD0
                                                                • Part of subcall function 00434C10: #685.MSVBVM60 ref: 00434DDE
                                                                • Part of subcall function 00434C10: __vbaObjSet.MSVBVM60(?,00000000), ref: 00434DEC
                                                                • Part of subcall function 00434C10: __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040CDD8,0000004C), ref: 00434E10
                                                                • Part of subcall function 00434C10: __vbaFreeObj.MSVBVM60 ref: 00434E28
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,?), ref: 00434903
                                                              • __vbaStrCopy.MSVBVM60 ref: 00434963
                                                                • Part of subcall function 00434C10: __vbaStrCmp.MSVBVM60(SHA384,?), ref: 00434D49
                                                                • Part of subcall function 00434C10: __vbaStrCopy.MSVBVM60 ref: 00434E39
                                                                • Part of subcall function 00434C10: __vbaSetSystemError.MSVBVM60(?), ref: 00435322
                                                                • Part of subcall function 00434C10: __vbaSetSystemError.MSVBVM60(?), ref: 00435339
                                                                • Part of subcall function 00434C10: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 0043534C
                                                                • Part of subcall function 00434C10: __vbaLenBstrB.MSVBVM60(?), ref: 00435355
                                                                • Part of subcall function 00434C10: #681.MSVBVM60(?,?,?,?), ref: 004353CD
                                                                • Part of subcall function 00434C10: #685.MSVBVM60 ref: 004353D3
                                                                • Part of subcall function 00434C10: __vbaObjSet.MSVBVM60(?,00000000), ref: 004353E1
                                                                • Part of subcall function 00434C10: __vbaI4Var.MSVBVM60(?,?,?,?,?), ref: 00435452
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,?), ref: 00434981
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00434A1D
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00434A37
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00434A7C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00434A96
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00434ADB
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00434AF5
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 00434B71
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00434BF4), ref: 00434BBA
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00434BC9
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00434BD5
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00434BE1
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00434BED
                                                              • __vbaErrorOverflow.MSVBVM60(?,00000000), ref: 00434C0A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$Free$BoundsDestructGenerate$Chkstk$CopyMoveSystem$Ubound$#685Index$#527#681BstrCheckConstruct2EraseHresultListLoadNofreeOverflowRedimStoreVarg
                                                              • String ID: SHA256
                                                              • API String ID: 3250730599-983011835
                                                              • Opcode ID: 5dcea85ffaf1782bbd5a9d5a0951441eaf1821f7bbedbe1acbbf727b6b1e71cc
                                                              • Instruction ID: 0ab9744960fe0c8a06014077ef1ea35e9565c2b0d86851ef13145a772d2f9845
                                                              • Opcode Fuzzy Hash: 5dcea85ffaf1782bbd5a9d5a0951441eaf1821f7bbedbe1acbbf727b6b1e71cc
                                                              • Instruction Fuzzy Hash: 0FE158B4901208DFDB14DF94D988BDDB7B5FF48304F10819AE50ABB2A0D7756A88CF69
                                                              Function 00439FB0 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 276COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00439FCE
                                                              • __vbaNew.MSVBVM60(004076EC,?,00000000,?,00000000,004037E6), ref: 0043A001
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004037E6), ref: 0043A00C
                                                                • Part of subcall function 0043BC70: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                                • Part of subcall function 0043BC70: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                                • Part of subcall function 0043BC70: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                                • Part of subcall function 0043BC70: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • #632.MSVBVM60(?,00004008,?,00000002), ref: 0043A06A
                                                              • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0043A08F
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043A0A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$#632Free$BstrChkstkListMove
                                                              • String ID: FQVElVSnPClKjFGdGcxlq
                                                              • API String ID: 1396576573-4203370029
                                                              • Opcode ID: fdcdb4c6cd180bd7f4a236b71d144ab7f462b2dbb929201eefb17fff68a46d70
                                                              • Instruction ID: 31c37b1f6d2f662e070003d9608faa1f0cf14505622c69e5d7b74a1b6f9f7a6e
                                                              • Opcode Fuzzy Hash: fdcdb4c6cd180bd7f4a236b71d144ab7f462b2dbb929201eefb17fff68a46d70
                                                              • Instruction Fuzzy Hash: 82B119B580020DEFDB14DF94CA84AEEB7B8FF48704F10815AE549B7254DB746A09CF65
                                                              Function 0043B230 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043BC70: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                                • Part of subcall function 0043BC70: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                                • Part of subcall function 0043BC70: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                                • Part of subcall function 0043BC70: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • #632.MSVBVM60(?,?,?,?,?,?,?,?,6D41D8B1), ref: 0043B2B6
                                                              • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,?,?,6D41D8B1), ref: 0043B2DB
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,?,?,6D41D8B1), ref: 0043B2F1
                                                              • #632.MSVBVM60(?,00004008,?,00000002,?,?,6D41D8B1), ref: 0043B348
                                                              • __vbaVarTstEq.MSVBVM60(00008008,?,?,00000002,?,?,6D41D8B1), ref: 0043B36D
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,00000002,?,?,6D41D8B1), ref: 0043B383
                                                              • __vbaErrorOverflow.MSVBVM60(0043B4E4,?,?,?,?,?,6D41D8B1), ref: 0043B4FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$#632Free$List$BstrErrorMoveOverflow
                                                              • String ID: : $HpD$Invalid Boolean at position $false$true
                                                              • API String ID: 4277481792-2169453833
                                                              • Opcode ID: 21cc624b2a49206dd1673448df91cad2b7a8dc26c49850cb64b0703ac0b69930
                                                              • Instruction ID: 826f89e9247f4b3676de890f9acb5672ec89b0a1c45d697dfde166c87ea62e80
                                                              • Opcode Fuzzy Hash: 21cc624b2a49206dd1673448df91cad2b7a8dc26c49850cb64b0703ac0b69930
                                                              • Instruction Fuzzy Hash: 578116B1900219AFDB10DF94DD88AEEBBB8FF98304F10411EE545B7250EBB41949CFA5
                                                              Function 0042DC90 Relevance: 45.2, APIs: 30, Instructions: 194COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0042DCAE
                                                              • __vbaOnError.MSVBVM60(000000FF,00000000,6D414558,6D4EDAF4,00000000,004037E6), ref: 0042DCDE
                                                              • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000001), ref: 0042DCF7
                                                              • #570.MSVBVM60(00000001), ref: 0042DD06
                                                              • __vbaVarDup.MSVBVM60 ref: 0042DD23
                                                              • #606.MSVBVM60(?,?), ref: 0042DD31
                                                              • __vbaStrMove.MSVBVM60 ref: 0042DD3C
                                                              • __vbaStr2Vec.MSVBVM60(?,00000000), ref: 0042DD47
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 0042DD55
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042DD5E
                                                              • __vbaFreeVar.MSVBVM60 ref: 0042DD67
                                                              • __vbaGetOwner3.MSVBVM60(0040C6D4,?,00000001), ref: 0042DD7F
                                                              • __vbaFileClose.MSVBVM60(00000001), ref: 0042DD8E
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 0042DDA1
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042DE0E
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042DE25
                                                              • __vbaStrUI1.MSVBVM60(00000000), ref: 0042DE41
                                                              • __vbaStrMove.MSVBVM60 ref: 0042DE4C
                                                              • __vbaStrCmp.MSVBVM60(00409C14,00000000), ref: 0042DE58
                                                              • __vbaFreeStr.MSVBVM60 ref: 0042DE6C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042DEC5
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0042DEDC
                                                              • #608.MSVBVM60(?,00000000), ref: 0042DEFE
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 0042DF10
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 0042DF17
                                                              • __vbaStrMove.MSVBVM60 ref: 0042DF22
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042DF32
                                                              • __vbaStrCopy.MSVBVM60 ref: 0042DF54
                                                              • __vbaFreeStr.MSVBVM60(0042DFB3), ref: 0042DFA0
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0042DFAC
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$ErrorFreeMove$BoundsGenerate$File$#570#606#608ChkstkCloseCopyDestructListOpenOwner3Str2Ubound
                                                              • String ID:
                                                              • API String ID: 3136081494-0
                                                              • Opcode ID: 4fee8177644553558b25942c5443a73702e8fd0ccb69974871a0fb10559ef5d8
                                                              • Instruction ID: 318d90561d9bd17215e1e4a3fd2f9e2b7a084f8caa564ba4d50f9ed1e1d79b70
                                                              • Opcode Fuzzy Hash: 4fee8177644553558b25942c5443a73702e8fd0ccb69974871a0fb10559ef5d8
                                                              • Instruction Fuzzy Hash: 60910574E00218DFDB14DFA4DA88BEDBBB5BF48304F20816AE406BB2A0DB745A45CF55
                                                              Function 0043B510 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043BC70: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                                • Part of subcall function 0043BC70: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                                • Part of subcall function 0043BC70: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                                • Part of subcall function 0043BC70: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • #632.MSVBVM60(?,?,?,?,?,?,00000000,?,?), ref: 0043B5A2
                                                              • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,00000000,?,?), ref: 0043B5C7
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,?,00000000,?,?), ref: 0043B5D9
                                                              • __vbaVarMove.MSVBVM60(00000000,?,?), ref: 0043B5FA
                                                              • __vbaStrCat.MSVBVM60(Invalid null value at position ,00000000,00000000,?,?), ref: 0043B628
                                                              • __vbaStrMove.MSVBVM60 ref: 0043B635
                                                              • __vbaStrI4.MSVBVM60(?,00000000), ref: 0043B63B
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043B646
                                                              • __vbaStrCat.MSVBVM60(00000000,?,00000000), ref: 0043B649
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 0043B650
                                                              • __vbaStrCat.MSVBVM60( : ,00000000,?,00000000), ref: 0043B658
                                                              • #632.MSVBVM60(?,00004008,?,00000002,?,00000000), ref: 0043B698
                                                              • __vbaVarCat.MSVBVM60(?,?,?,?,00000002,?,00000000), ref: 0043B6C0
                                                              • __vbaVarCat.MSVBVM60(?,00008008,00000000,?,00000002,?,00000000), ref: 0043B6CE
                                                              • __vbaStrVarMove.MSVBVM60(00000000,?,00000002,?,00000000), ref: 0043B6D1
                                                              • __vbaStrMove.MSVBVM60(?,00000002,?,00000000), ref: 0043B6DE
                                                              • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000002,?,00000000), ref: 0043B6EE
                                                              • __vbaFreeVarList.MSVBVM60(00000005,0000000A,?,?,?,?,?,00000002,?,00000000), ref: 0043B70A
                                                              • __vbaErrorOverflow.MSVBVM60(0043B75E), ref: 0043B78D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$#632List$BstrErrorOverflow
                                                              • String ID: : $HpD$Invalid null value at position $null
                                                              • API String ID: 2513549710-756939621
                                                              • Opcode ID: 4c7c2d49b4172083d3b8159920cff7549f72d4716f50c1b854f361dcf950ba22
                                                              • Instruction ID: c461614af23a0a34dfe6f3547bcc7ed1ce836e9f82d8dbbc76d58bda5b8ba400
                                                              • Opcode Fuzzy Hash: 4c7c2d49b4172083d3b8159920cff7549f72d4716f50c1b854f361dcf950ba22
                                                              • Instruction Fuzzy Hash: 1C5119B1D00229AFDB14DF94CC85BEEBBB8FB48700F10815AE509B7254DB745949CFA5
                                                              Function 0043C0D0 Relevance: 39.2, APIs: 26, Instructions: 189COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0043C0EE
                                                              • __vbaOnError.MSVBVM60(000000FF,00000000,?,00000001,00000000,004037E6), ref: 0043C11E
                                                              • __vbaStr2Vec.MSVBVM60(?), ref: 0043C135
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 0043C143
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 0043C156
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C1C0
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C1D1
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C1F5
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C209
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C21D
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C231
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C243
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C25B
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C26D
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C285
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C295
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C2A7
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C2F2
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C303
                                                              • __vbaUI1I2.MSVBVM60 ref: 0043C30E
                                                              • __vbaStrVarCopy.MSVBVM60(00002011,0040D72C,00000000,00000001,000000FF,00000000), ref: 0043C351
                                                              • __vbaStrMove.MSVBVM60 ref: 0043C35C
                                                              • #712.MSVBVM60(00000000), ref: 0043C363
                                                              • __vbaStrMove.MSVBVM60 ref: 0043C36E
                                                              • __vbaFreeStr.MSVBVM60 ref: 0043C377
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,0043C3BA), ref: 0043C3B3
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$BoundsGenerate$Move$#712ChkstkCopyDestructFreeStr2Ubound
                                                              • String ID:
                                                              • API String ID: 2409928056-0
                                                              • Opcode ID: f01322ed33aa936053880ff7a43a0c6c9f7da24ae7fad71d8da7222c7f212828
                                                              • Instruction ID: 8aa433b21076c022069373bb5e9e4da6f639c24dd9854a755a01bdb034af3ac9
                                                              • Opcode Fuzzy Hash: f01322ed33aa936053880ff7a43a0c6c9f7da24ae7fad71d8da7222c7f212828
                                                              • Instruction Fuzzy Hash: 7C813970D04248DFDB18CFE4CA98BDDBFB2AB48710F24816AE502BB291CB755985CF95
                                                              Function 00438660 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaLenBstr.MSVBVM60(00000000,`,@,00000000,6D41D8B1), ref: 004386A9
                                                              • __vbaLenBstr.MSVBVM60 ref: 004386B7
                                                              • _adj_fdiv_m64.MSVBVM60 ref: 004386E2
                                                              • __vbaFpI4.MSVBVM60 ref: 004386F1
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 00438711
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 00438720
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00438760
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00438768
                                                              • #631.MSVBVM60(?,?,?,0040C894), ref: 00438794
                                                              • __vbaStrMove.MSVBVM60 ref: 0043879F
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 004387A2
                                                              • __vbaStrMove.MSVBVM60 ref: 004387AD
                                                              • #581.MSVBVM60(00000000), ref: 004387B0
                                                              • __vbaFpUI1.MSVBVM60 ref: 004387B6
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004387CF
                                                              • __vbaFreeVar.MSVBVM60 ref: 004387DB
                                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 004387FF
                                                              • __vbaAryCopy.MSVBVM60(?,?), ref: 00438815
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00438869), ref: 0043885E
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00438866
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$BoundsBstrCopyDestructErrorFreeGenerateMove$#581#631ListRedimUbound_adj_fdiv_m64
                                                              • String ID: `,@
                                                              • API String ID: 796740024-4168824844
                                                              • Opcode ID: c52a798f21a84eb3cf820f15a83441ff1b808f05b0b74034412e7f6c10a1db57
                                                              • Instruction ID: 6daa35c4db0818fac216d181594eecc99a6e39316df29446bdcef3d0f6ec4e3c
                                                              • Opcode Fuzzy Hash: c52a798f21a84eb3cf820f15a83441ff1b808f05b0b74034412e7f6c10a1db57
                                                              • Instruction Fuzzy Hash: 87512E71900318AFDB04EFA4DD89AAEBB79FB4C701F10812AF505B72A0DB745945CFA9
                                                              Function 00425720 Relevance: 37.7, APIs: 25, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaUbound.MSVBVM60(00000001,?,00401F08,-00000001,6D4EEC2C), ref: 0042579A
                                                              • __vbaUI1I2.MSVBVM60(?,00401F08,-00000001,6D4EEC2C), ref: 004257A2
                                                              • __vbaAryCopy.MSVBVM60(?,00401FE0,?,00401F08,-00000001,6D4EEC2C), ref: 004257B0
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00401F08,-00000001,6D4EEC2C), ref: 004257DE
                                                              • __vbaVarMove.MSVBVM60(?,00401F08,-00000001,6D4EEC2C), ref: 00425815
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00401F08,-00000001,6D4EEC2C), ref: 00425838
                                                              • __vbaVarMove.MSVBVM60(?,00401F08,-00000001,6D4EEC2C), ref: 0042586F
                                                              • __vbaUbound.MSVBVM60(00000001,?,00000000,?,00401F08,-00000001,6D4EEC2C), ref: 0042587B
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,?,00000000,?,00401F08,-00000001,6D4EEC2C), ref: 0042588D
                                                              • __vbaUbound.MSVBVM60(00000001,00000000), ref: 0042589B
                                                              • __vbaFreeVar.MSVBVM60(00000011,?,?,?,?), ref: 00425910
                                                              • __vbaI4Var.MSVBVM60(?,00000004), ref: 00425918
                                                              • __vbaFreeVar.MSVBVM60(00425A0E), ref: 004259FA
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00425A02
                                                              • __vbaFreeVar.MSVBVM60 ref: 00425A0B
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$FreeUbound$BoundsErrorGenerateMove$CopyDestructRedim
                                                              • String ID:
                                                              • API String ID: 149760206-0
                                                              • Opcode ID: d5f4bae96581bc614e5752646da9efb0e7ffc6d63b4b701b381604dde3617748
                                                              • Instruction ID: ede974385ad6fbfa64ff583e48eb8c0e0ab1eed6da94189492291104200f4cef
                                                              • Opcode Fuzzy Hash: d5f4bae96581bc614e5752646da9efb0e7ffc6d63b4b701b381604dde3617748
                                                              • Instruction Fuzzy Hash: F48158B4900218DFDB14CFA5DE84BDDFBB9EF88300F10819AE509A7261D7B45A85CF65
                                                              Function 004379A0 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaLenBstr.MSVBVM60(?,6D41D8B1,00000001,6D40A323), ref: 004379E3
                                                              • #631.MSVBVM60(?,?,?), ref: 00437A19
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 00437A24
                                                              • #516.MSVBVM60(00000000,?,?,?), ref: 00437A27
                                                              • __vbaFreeStr.MSVBVM60(?,?,?), ref: 00437A32
                                                              • __vbaFreeVar.MSVBVM60(?,?,?), ref: 00437A3B
                                                              • __vbaLenBstr.MSVBVM60(?,00000002,?,?,?), ref: 00437A59
                                                              • #631.MSVBVM60(?,?,?,00000002,?,?,?), ref: 00437A76
                                                              • __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A81
                                                              • #516.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437A84
                                                              • __vbaFreeStr.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A90
                                                              • __vbaFreeVar.MSVBVM60(?,?,00000002,?,?,?), ref: 00437A99
                                                              • #608.MSVBVM60(00000002,?,?,?,00000002,?,?,?), ref: 00437ABA
                                                              • __vbaVarAdd.MSVBVM60(?,00000002,00000008,?,?,00000002,?,?,?), ref: 00437ACC
                                                              • __vbaStrVarMove.MSVBVM60(00000000,?,?,00000002,?,?,?), ref: 00437AD3
                                                              • __vbaStrMove.MSVBVM60(?,?,00000002,?,?,?), ref: 00437ADE
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,?,?,?), ref: 00437AEA
                                                              • __vbaStrCopy.MSVBVM60 ref: 00437B09
                                                              • __vbaFreeStr.MSVBVM60(00437B4C), ref: 00437B45
                                                              • __vbaErrorOverflow.MSVBVM60(?,00000002,?,?,?), ref: 00437B62
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$Move$#516#631Bstr$#608CopyErrorListOverflow
                                                              • String ID: (+@
                                                              • API String ID: 360027286-3383980723
                                                              • Opcode ID: 83c42a233ffed47ea56100b53017fa77381eeb7f2317fb02d481547642d30bbe
                                                              • Instruction ID: c85f0f4bc0d59a632d9b65d71e75d8522d4eeb0d00f213dad5ff3264d9222e98
                                                              • Opcode Fuzzy Hash: 83c42a233ffed47ea56100b53017fa77381eeb7f2317fb02d481547642d30bbe
                                                              • Instruction Fuzzy Hash: 92414AB4D00249AFDB04DFA4D988AEEBBB8FB48305F108029F906F7260EB346945CF54
                                                              Function 0043C700 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaStrCopy.MSVBVM60 ref: 0043C745
                                                              • #594.MSVBVM60(?), ref: 0043C768
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043C771
                                                              • __vbaStr2Vec.MSVBVM60(?), ref: 0043C781
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 0043C78F
                                                              • __vbaLenBstr.MSVBVM60 ref: 0043C798
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0@7@,00000000), ref: 0043C7D0
                                                              • #593.MSVBVM60(0000000A), ref: 0043C7F3
                                                              • __vbaFpI4.MSVBVM60 ref: 0043C81F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C83F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C847
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C86A
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043C87A
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043C895
                                                              • __vbaStrVarCopy.MSVBVM60(?), ref: 0043C8C0
                                                              • __vbaStrMove.MSVBVM60 ref: 0043C8CB
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,0043C915), ref: 0043C90A
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 0043C912
                                                              • __vbaErrorOverflow.MSVBVM60(00000000), ref: 0043C930
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$BoundsGenerate$CopyDestructFreeMove$#593#594BstrOverflowRedimStr2
                                                              • String ID: 0@7@
                                                              • API String ID: 2878600159-2629754795
                                                              • Opcode ID: bea46c760eb444dbb1c722d9d2b08eb9c0f11832b6082a3c139fa9510e579ed3
                                                              • Instruction ID: d5c8a06969cb0dceec3872871fbb1703a7330b85e605bea3e9d8ed78a3c8e985
                                                              • Opcode Fuzzy Hash: bea46c760eb444dbb1c722d9d2b08eb9c0f11832b6082a3c139fa9510e579ed3
                                                              • Instruction Fuzzy Hash: ED515EB5D002099FCB08DFA4D9C8A9DBB75FF0C351F11912AE805B7260D7749986CFA9
                                                              Function 004380E0 Relevance: 34.6, APIs: 23, Instructions: 150COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 004380FE
                                                              • __vbaOnError.MSVBVM60(000000FF,6D41D8B1,00000000,00000000,00000000,004037E6), ref: 0043812E
                                                              • __vbaSetSystemError.MSVBVM60(00000000), ref: 00438159
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00438339), ref: 00438332
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$ChkstkDestructSystem
                                                              • String ID:
                                                              • API String ID: 2510513230-0
                                                              • Opcode ID: 740a68dfea30e1e4ab3a73c0e5d62e44fcc27fc636fee40a11eb42a2eb14aa58
                                                              • Instruction ID: ba6578a22931b18509a47483c16a5d1759a023cbfb87b1a47881c327b7115824
                                                              • Opcode Fuzzy Hash: 740a68dfea30e1e4ab3a73c0e5d62e44fcc27fc636fee40a11eb42a2eb14aa58
                                                              • Instruction Fuzzy Hash: B961E575901208EBDB04DFE4DA88BDEBBB9BF08704F10816AF506B72A0DB745A45CF58
                                                              Function 00435860 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,0000000B,00000000,?,00000000), ref: 004358B8
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 004358CD
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 0043591C
                                                              • __vbaUbound.MSVBVM60(00000001,?,00000000), ref: 00435928
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-0000001F,?,00000000), ref: 0043594C
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 0043595B
                                                                • Part of subcall function 00438890: __vbaFreeVar.MSVBVM60 ref: 00438B95
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?), ref: 004359AA
                                                              • __vbaUbound.MSVBVM60(00000001,00000000,00000010,?,00000000,00000000), ref: 004359BD
                                                              • __vbaUbound.MSVBVM60(00000001,?,`)@,-0000000F), ref: 004359D0
                                                                • Part of subcall function 00435A90: #644.MSVBVM60(AES,6D4145C1,00000000,`)@), ref: 00435AEA
                                                                • Part of subcall function 00435A90: __vbaSetSystemError.MSVBVM60(?,00000000,00000000,00000000), ref: 00435B01
                                                                • Part of subcall function 00435A90: __vbaStrCopy.MSVBVM60 ref: 00435B10
                                                                • Part of subcall function 00435A90: __vbaSetSystemError.MSVBVM60(?), ref: 00435E14
                                                                • Part of subcall function 00435A90: __vbaSetSystemError.MSVBVM60(?,00000000), ref: 00435E24
                                                                • Part of subcall function 00435A90: __vbaFreeStr.MSVBVM60(00435E4A), ref: 00435E43
                                                              • #717.MSVBVM60(00000003,?,00000040,00000000,8WC`)@,?,?,00000000,-00000001), ref: 00435A0B
                                                              • __vbaStrVarMove.MSVBVM60(00000003), ref: 00435A15
                                                              • __vbaStrMove.MSVBVM60 ref: 00435A20
                                                              • __vbaFreeVar.MSVBVM60 ref: 00435A29
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00435A6D,8WC`)@,?,?,00000000,-00000001), ref: 00435A5C
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00435A63
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00435A6A
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 00435A83
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438A1E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438A4E
                                                                • Part of subcall function 00438890: __vbaVarVargNofree.MSVBVM60 ref: 00438A6F
                                                                • Part of subcall function 00438890: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00438A7E
                                                                • Part of subcall function 00438890: __vbaI2Var.MSVBVM60(00000000), ref: 00438A85
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B0B
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B2E
                                                                • Part of subcall function 00438890: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00438B56
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B66
                                                                • Part of subcall function 00438890: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 00438B89
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$ErrorFreeUbound$Chkstk$DestructSystem$IndexMoveRedim$#644#717CopyLoadNofreeOverflowStoreVarg
                                                              • String ID: 8WC`)@$`)@
                                                              • API String ID: 161593248-2406755947
                                                              • Opcode ID: 7c2f38cdd6e6d753b6431ac11f338eb5e1d8f5925763df93ca896d340fac77c5
                                                              • Instruction ID: 983a13607282a3c2b880073cbaf6fe76bfd75dbdec9c361a8b52f06109fb07ec
                                                              • Opcode Fuzzy Hash: 7c2f38cdd6e6d753b6431ac11f338eb5e1d8f5925763df93ca896d340fac77c5
                                                              • Instruction Fuzzy Hash: 7561F9B1D01218AFDB04EF94DD85EEEBBB9EF48700F10411AF505BA294D6B46A44CFA4
                                                              Function 00445550 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,?,00445A6F,?,00000000), ref: 0044556E
                                                              • __vbaOnError.MSVBVM60(00000001,6D41D8B1,6D41D83C,00000000,00000000,004037E6), ref: 0044559E
                                                              • __vbaInStr.MSVBVM60(00000000,0040651C,?,00000001), ref: 004455C1
                                                              • __vbaNew.MSVBVM60(0040D850,?,00000001), ref: 004455D6
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000001), ref: 004455E1
                                                              • #631.MSVBVM60(?,00000000,?,?,00000000,?,00000000,?,?,?,?,?,00000000), ref: 00445681
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000), ref: 0044568C
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000), ref: 00445695
                                                              • __vbaLenBstr.MSVBVM60(?,?,?,?,?,?,00000000), ref: 004456A6
                                                              • __vbaStrCat.MSVBVM60(?,IP:,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004456FB
                                                              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D840,00000020), ref: 00445757
                                                              • __vbaFreeVarList.MSVBVM60(00000003,00000008,0000000A,0000000A), ref: 0044577D
                                                              • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004457CC
                                                              • __vbaCastObj.MSVBVM60(00000000,0040D840), ref: 004457E0
                                                              • __vbaObjSet.MSVBVM60(?,00000000), ref: 004457EB
                                                              • __vbaExitProc.MSVBVM60 ref: 00445802
                                                              • __vbaFreeObj.MSVBVM60(0044584D), ref: 0044583D
                                                              • __vbaFreeStr.MSVBVM60 ref: 00445846
                                                                • Part of subcall function 00445360: #631.MSVBVM60(?,7@,?,6D41D8B1,6D41D83C,00000000), ref: 004453B8
                                                                • Part of subcall function 00445360: __vbaStrMove.MSVBVM60(?,00000000,00000002), ref: 004453C3
                                                                • Part of subcall function 00445360: __vbaFreeVar.MSVBVM60(?,00000000,00000002), ref: 004453CC
                                                                • Part of subcall function 00445360: __vbaStrCmp.MSVBVM60(0040651C,?), ref: 004453E8
                                                                • Part of subcall function 00445360: #561.MSVBVM60(00004008), ref: 004453F9
                                                                • Part of subcall function 00445360: __vbaFreeStr.MSVBVM60(00445433,6D41D8B1,6D41D83C,00000000), ref: 0044542C
                                                              • __vbaErrorOverflow.MSVBVM60(?,00000000,?,?,?,?,?,00000000), ref: 00445863
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004458CA
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 004458E0
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 004458EA
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 004458F5
                                                              • __vbaStrMove.MSVBVM60(?,?,?,00000000), ref: 00445909
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000), ref: 00445919
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,?,00000000), ref: 00445931
                                                              • __vbaLenBstr.MSVBVM60(?), ref: 0044593E
                                                              • __vbaObjSet.MSVBVM60(?,00000000,?,00000000), ref: 0044595B
                                                              • __vbaNew2.MSVBVM60(0040D850,?), ref: 00445971
                                                                • Part of subcall function 00445450: __vbaLenBstr.MSVBVM60(00000000,?,7@,00000001), ref: 0044548D
                                                                • Part of subcall function 00445450: #631.MSVBVM60(?,?,?), ref: 004454B4
                                                                • Part of subcall function 00445450: __vbaStrMove.MSVBVM60(?,?,?), ref: 004454BF
                                                                • Part of subcall function 00445450: __vbaFreeVar.MSVBVM60(?,?,?), ref: 004454C8
                                                                • Part of subcall function 00445450: __vbaStrCmp.MSVBVM60(0040651C,?,?,?,?), ref: 004454E4
                                                                • Part of subcall function 00445450: #561.MSVBVM60(00004008,?,?,?), ref: 004454F5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$Move$#631Bstr$#561CopyErrorList$AddrefCastCheckChkstkExitHresultNew2OverflowProc
                                                              • String ID: IP:
                                                              • API String ID: 1255922066-4240305083
                                                              • Opcode ID: 28a44d0bbe35f8d15882aec2ea584448cd228670919aeb25d0d059b368ebc4c6
                                                              • Instruction ID: 35b59897e2c0caad8dcac60c1b62a2a976e97e541912d0cca169a1d8a54ac34d
                                                              • Opcode Fuzzy Hash: 28a44d0bbe35f8d15882aec2ea584448cd228670919aeb25d0d059b368ebc4c6
                                                              • Instruction Fuzzy Hash: 127108B5900208EFEB04DFD4DA88BDEBBB9BB48305F10816AE505BB291D7B95A44CF54
                                                              Function 00445140 Relevance: 33.2, APIs: 22, Instructions: 158COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaOnError.MSVBVM60(00000001,?,?,00000001), ref: 00445185
                                                              • __vbaVarDup.MSVBVM60 ref: 0044519F
                                                              • #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 004451B6
                                                              • __vbaAryVar.MSVBVM60(00002008,?,?,?,000000FF,00000000), ref: 004451C5
                                                              • __vbaAryCopy.MSVBVM60(?,?,?,?,000000FF,00000000), ref: 004451D6
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000FF,00000000), ref: 004451E6
                                                              • __vbaUbound.MSVBVM60(00000001,?,?,?,00000000), ref: 004451F5
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,00000000), ref: 00445221
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,00000000), ref: 00445237
                                                              • __vbaUI1Str.MSVBVM60(?,?,?,00000000), ref: 00445249
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,00000000), ref: 00445265
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,00000000), ref: 00445275
                                                              • __vbaUI1Str.MSVBVM60(?,?,?,?,00000000), ref: 00445281
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000), ref: 0044529D
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00000000), ref: 004452AD
                                                              • __vbaUI1Str.MSVBVM60(?,?,?,?,?,00000000), ref: 004452B9
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,00000000), ref: 004452D5
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,00000000), ref: 004452E5
                                                              • __vbaUI1Str.MSVBVM60(?,?,?,?,?,?,00000000), ref: 004452F1
                                                              • __vbaErase.MSVBVM60(00000000,?,?,?,00000000), ref: 004452FF
                                                              • __vbaExitProc.MSVBVM60(?,?,00000000), ref: 00445305
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00445340,?,?,00000000), ref: 00445339
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$BoundsGenerate$#711CopyDestructEraseExitFreeListProcUbound
                                                              • String ID:
                                                              • API String ID: 4141477222-0
                                                              • Opcode ID: 56a5ca490a3bb71213fa281686dfac3039216fcfc68fe99deb5b12c6bcefd861
                                                              • Instruction ID: 2e35f219e701853216716f2b2fd621529a6e71246dfd34626c4d5c7976a33558
                                                              • Opcode Fuzzy Hash: 56a5ca490a3bb71213fa281686dfac3039216fcfc68fe99deb5b12c6bcefd861
                                                              • Instruction Fuzzy Hash: 9D515A31D001189BDF04DF94C984AEDFBB9BF49714F24815AE401BB2A1C7B5A886CFA9
                                                              Function 0042DFD0 Relevance: 33.1, APIs: 22, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,0042C195,?,00000000), ref: 0042DFEE
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E01B
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E027
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E033
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0042E042
                                                              • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0042E05B
                                                              • __vbaInStr.MSVBVM60(00000000,?,?,00000001,?,00000000,?,?,004037E6), ref: 0042E06F
                                                              • __vbaInStr.MSVBVM60(00000000,00000000,?,00000001,?,00000000,?,?,004037E6), ref: 0042E099
                                                              • __vbaVarMove.MSVBVM60 ref: 0042E0B5
                                                              • __vbaInStr.MSVBVM60(00000000,?,?,00000001), ref: 0042E0CE
                                                              • __vbaI2I4.MSVBVM60 ref: 0042E0D6
                                                              • __vbaVarSub.MSVBVM60(?,?,00000002), ref: 0042E108
                                                              • __vbaVarMove.MSVBVM60 ref: 0042E113
                                                              • __vbaI4Var.MSVBVM60(?,?), ref: 0042E134
                                                              • #632.MSVBVM60(?,00004008,00000000), ref: 0042E146
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 0042E150
                                                              • __vbaStrMove.MSVBVM60 ref: 0042E15B
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042E16B
                                                              • __vbaFreeStr.MSVBVM60(0042E1CB,?,00000000,?,?,004037E6), ref: 0042E1A9
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E1B2
                                                              • __vbaFreeStr.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E1BB
                                                              • __vbaFreeVar.MSVBVM60(?,00000000,?,?,004037E6), ref: 0042E1C4
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$Move$Copy$#632ChkstkErrorList
                                                              • String ID:
                                                              • API String ID: 46184515-0
                                                              • Opcode ID: 1a37916d03d348373a552fdcc472740a6b82d68577b69a7e734207a3800d84d7
                                                              • Instruction ID: 6024e878eac317fd0436ae6cf3d59ff75dd4de21fba69534b1512a5666b00a10
                                                              • Opcode Fuzzy Hash: 1a37916d03d348373a552fdcc472740a6b82d68577b69a7e734207a3800d84d7
                                                              • Instruction Fuzzy Hash: 2551F775901209EBDB14DFA0DA49BDEBBB8FF08705F108169E506B72A0DB746A09CF64
                                                              Function 00432F90 Relevance: 30.3, APIs: 20, Instructions: 304COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaAryConstruct2.MSVBVM60(?,0040CD44,00000003,?,00000000,6D4145C1), ref: 00432FD5
                                                              • __vbaUbound.MSVBVM60(00000001,?), ref: 00433010
                                                              • __vbaCopyBytes.MSVBVM60(00000004,?,?,-00000001), ref: 00433044
                                                              • __vbaRedimPreserve.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000048,00000000), ref: 0043306F
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00433090
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00433098
                                                              • __vbaUI1I2.MSVBVM60 ref: 004330A5
                                                              • __vbaUbound.MSVBVM60(00000001,00000000), ref: 004330B8
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004330E5
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004330ED
                                                              • __vbaUI1I4.MSVBVM60 ref: 004330F7
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043312B
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00433135
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043316C
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00433176
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004331AA
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004331B4
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004331DF
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004331E9
                                                              • __vbaGenerateBoundsError.MSVBVM60(00000000,?,?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 00433233
                                                              • __vbaGenerateBoundsError.MSVBVM60(00000000,?,?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0043323D
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 00433272
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0043327C
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 004332AE
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 004332B8
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 004332EA
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 004332F4
                                                              • __vbaCopyBytes.MSVBVM60(00000004,?,?,?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0043330F
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,-00000001,00000000,?,?,00000010,0000004F,?), ref: 0043331E
                                                              • __vbaGenerateBoundsError.MSVBVM60(00000002), ref: 00433388
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004333A2
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004333BC
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004333D3
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004333E1
                                                              • __vbaErrorOverflow.MSVBVM60(00000000), ref: 00433732
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$BoundsGenerate$BytesCopyUbound$Construct2OverflowPreserveRedim
                                                              • String ID:
                                                              • API String ID: 889003022-0
                                                              • Opcode ID: ae76b36c51c9f39d74a292a228346f6dde2c6859aec0828a0f56baac9cee8fb7
                                                              • Instruction ID: 33adc6320904d04d15c5a7fc1cf06c1aa56547a0688cce7a75314bab95ac7d6f
                                                              • Opcode Fuzzy Hash: ae76b36c51c9f39d74a292a228346f6dde2c6859aec0828a0f56baac9cee8fb7
                                                              • Instruction Fuzzy Hash: F2B1B678A002418FCB18CF68C9849AABB71FF4D312F1491AAED519B351C779DD82CBE5
                                                              Function 004384A0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaStrCopy.MSVBVM60(6D41D8B1,00000000,00000000), ref: 004384E2
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00438521
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043852B
                                                              • __vbaStrUI1.MSVBVM60(?), ref: 0043853A
                                                              • __vbaStrMove.MSVBVM60 ref: 00438545
                                                              • __vbaStrCmp.MSVBVM60(00409C14,00000000), ref: 0043854D
                                                              • __vbaFreeStr.MSVBVM60 ref: 00438560
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00438597
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 004385A1
                                                              • #608.MSVBVM60(?,00000000), ref: 004385B6
                                                              • __vbaVarAdd.MSVBVM60(?,?,00000008), ref: 004385C8
                                                              • __vbaStrVarMove.MSVBVM60(00000000), ref: 004385CF
                                                              • __vbaStrMove.MSVBVM60 ref: 004385DA
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004385E6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$BoundsErrorGenerate$Move$Free$#608CopyList
                                                              • String ID: `,@
                                                              • API String ID: 1868846481-4168824844
                                                              • Opcode ID: 5054739ca37243503086880bb12837f5e9264dda2b2bb360f6e70c89931f8624
                                                              • Instruction ID: 4516b8d953c463d54c9e73eb19d7e199cb9cf41c37022a6f6bcdd5a68a0e8fc0
                                                              • Opcode Fuzzy Hash: 5054739ca37243503086880bb12837f5e9264dda2b2bb360f6e70c89931f8624
                                                              • Instruction Fuzzy Hash: 8A412A79900229DFCB04DFA4D9899AEFB75FB4C700F10816EF902A7360DB789945CB99
                                                              Function 0043C4E0 Relevance: 27.1, APIs: 18, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaOnError.MSVBVM60(00000001,?,00000000,6D4145C1), ref: 0043C552
                                                              • #556.MSVBVM60(0043112C), ref: 0043C55C
                                                              • __vbaVarDup.MSVBVM60 ref: 0043C588
                                                              • #710.MSVBVM60(0043112C,?,0040D72C), ref: 0043C598
                                                              • __vbaStrMove.MSVBVM60 ref: 0043C5A9
                                                              • __vbaStrCat.MSVBVM60(00000000), ref: 0043C5B2
                                                              • __vbaStrMove.MSVBVM60 ref: 0043C5B9
                                                              • __vbaStrCat.MSVBVM60(0040D72C,00000000), ref: 0043C5C2
                                                              • __vbaVarVargNofree.MSVBVM60(?,?,00000001), ref: 0043C60D
                                                              • __vbaVarCat.MSVBVM60(?,00000000), ref: 0043C61E
                                                              • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 0043C62C
                                                              • __vbaInStrVar.MSVBVM60(?,00000000,00000000), ref: 0043C634
                                                              • __vbaVarCmpGt.MSVBVM60(?,00008002,00000000), ref: 0043C649
                                                              • __vbaBoolVar.MSVBVM60(00000000), ref: 0043C650
                                                              • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043C663
                                                              • __vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?), ref: 0043C67F
                                                              • __vbaExitProc.MSVBVM60 ref: 0043C688
                                                              • __vbaExitProc.MSVBVM60 ref: 0043C69C
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$ExitFreeListMoveProc$#556#710BoolErrorNofreeVarg
                                                              • String ID:
                                                              • API String ID: 2501001033-0
                                                              • Opcode ID: 493b6425d4093db9920134e4ac4fd7766c0489287d951241f4476248f50f23d4
                                                              • Instruction ID: a3da43fd3d0a43713f9db1fa4658fe3e14d9ff30d89053e083cf75f88b859f6e
                                                              • Opcode Fuzzy Hash: 493b6425d4093db9920134e4ac4fd7766c0489287d951241f4476248f50f23d4
                                                              • Instruction Fuzzy Hash: 2651B6B1C10258ABDB50DFA4DD85BDEBBB8BB48700F10819BE109B7250DB745A88CFA5
                                                              Function 0043BC70 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                              • #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                              • __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                              • __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                              • __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                              • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                              • __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                              • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                              • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDE9
                                                              • __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BE09
                                                              • __vbaFreeVar.MSVBVM60(0043BEC3,?,?,00000000), ref: 0043BEBC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$#632BstrMove
                                                              • String ID: 7@
                                                              • API String ID: 563547971-48919864
                                                              • Opcode ID: a694031b85b73fdf16e8925eb44a1447a22a29cfb0f9d1c56c800f35147a438e
                                                              • Instruction ID: eff8a7ea93320152cba6878b003ac5717fb8bcab39ab18c0a8ea35c124ecb141
                                                              • Opcode Fuzzy Hash: a694031b85b73fdf16e8925eb44a1447a22a29cfb0f9d1c56c800f35147a438e
                                                              • Instruction Fuzzy Hash: 8A614CB1C0020ADECF20DF99C981AEEBBB4FF48744F50912AD655B7280D7741A06CFA9
                                                              Function 0043B080 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0043BC70: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                                • Part of subcall function 0043BC70: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                                • Part of subcall function 0043BC70: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                                • Part of subcall function 0043BC70: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • __vbaLenBstr.MSVBVM60(?,?,?,6D41D8B1,?,?), ref: 0043B0D8
                                                              • #632.MSVBVM60(?,?,?,?,?,?,?,6D41D8B1,?,?), ref: 0043B119
                                                              • __vbaStrVarMove.MSVBVM60(?,?,?,?,6D41D8B1,?,?), ref: 0043B123
                                                              • __vbaStrMove.MSVBVM60(?,?,?,6D41D8B1,?,?), ref: 0043B12E
                                                              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,?,6D41D8B1,?,?), ref: 0043B13A
                                                              • __vbaInStr.MSVBVM60(00000000,?,+-0123456789.eE,00000001,6D41D8B1,?,?), ref: 0043B150
                                                              • __vbaStrCat.MSVBVM60(?,?), ref: 0043B162
                                                              • __vbaStrMove.MSVBVM60 ref: 0043B16D
                                                              • #564.MSVBVM60(00004008,00000002), ref: 0043B199
                                                              • __vbaHresultCheck.MSVBVM60(00000000), ref: 0043B1A4
                                                              • __vbaVarMove.MSVBVM60 ref: 0043B1B0
                                                              • __vbaFreeStr.MSVBVM60(0043B1F1,?,?,?,6D41D8B1,?,?), ref: 0043B1E9
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,6D41D8B1,?,?), ref: 0043B1EE
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 0043B220
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Free$#632Bstr$#564CheckErrorHresultListOverflow
                                                              • String ID: +-0123456789.eE
                                                              • API String ID: 654446260-3706364263
                                                              • Opcode ID: 2798dcee8b1f72b8b02831c0835380af833aa1de575af47b97102f7525628dee
                                                              • Instruction ID: b188f4c08076f4c860333ee7c90645bef4c3738873c340466b7880171a7a5981
                                                              • Opcode Fuzzy Hash: 2798dcee8b1f72b8b02831c0835380af833aa1de575af47b97102f7525628dee
                                                              • Instruction Fuzzy Hash: 7D412EB1D0024A9FDB04DFA5D985AEEBBB8FF48704F008129E516F72A4EB746905CF94
                                                              Function 004395C0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6,?,?,00000000,?,?,004037E6), ref: 004395DE
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00439624
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000), ref: 00439633
                                                                • Part of subcall function 0043BC70: __vbaLenBstr.MSVBVM60(?,?,00000000), ref: 0043BCCD
                                                                • Part of subcall function 0043BC70: #632.MSVBVM60(?,?,00000000,?,?,?,00000000), ref: 0043BD11
                                                                • Part of subcall function 0043BC70: __vbaVarMove.MSVBVM60(?,?,00000000), ref: 0043BD20
                                                                • Part of subcall function 0043BC70: __vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0043BD29
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,00000000), ref: 0043BD49
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BD69
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(00004008,?,?,?,?,00000000), ref: 0043BD89
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDA9
                                                                • Part of subcall function 0043BC70: __vbaVarTstEq.MSVBVM60(?,?,?,?,?,00000000), ref: 0043BDC9
                                                              • #632.MSVBVM60(?,00004008,00000001,00000002), ref: 0043967F
                                                              • __vbaVarMove.MSVBVM60 ref: 0043968B
                                                              • __vbaFreeVar.MSVBVM60 ref: 00439694
                                                              • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 004396B7
                                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001), ref: 004396DD
                                                              • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 00439702
                                                              • __vbaObjSet.MSVBVM60(00000000,00000000,?,00000001), ref: 00439728
                                                              • __vbaFreeVar.MSVBVM60(0043977F), ref: 00439778
                                                                • Part of subcall function 00439FB0: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00439FCE
                                                                • Part of subcall function 00439FB0: __vbaNew.MSVBVM60(004076EC,?,00000000,?,00000000,004037E6), ref: 0043A001
                                                                • Part of subcall function 00439FB0: __vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,00000000,004037E6), ref: 0043A00C
                                                                • Part of subcall function 00439FB0: #632.MSVBVM60(?,00004008,?,00000002), ref: 0043A06A
                                                                • Part of subcall function 00439FB0: __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0043A08F
                                                                • Part of subcall function 00439FB0: __vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0043A0A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$#632$ChkstkMove$BstrCopyErrorList
                                                              • String ID: HpD$HpD$Invalid JSON
                                                              • API String ID: 1141054087-3949628892
                                                              • Opcode ID: 833dc4b34d0d0247c89de396d6ea8921d037ad416eb89c7fb844615af06e67e9
                                                              • Instruction ID: 547d01a4709df2b4d01bfc24f601d32659ad118f05aae572b0b79ac0af7fa8bb
                                                              • Opcode Fuzzy Hash: 833dc4b34d0d0247c89de396d6ea8921d037ad416eb89c7fb844615af06e67e9
                                                              • Instruction Fuzzy Hash: 62410FB5801248EBDB04DFD4CA48BDEBBB8FB48304F10856AE501B7295D7B99A49CF64
                                                              Function 0043BF50 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000,?,00000000), ref: 0043BF9D
                                                              • __vbaI2I4.MSVBVM60 ref: 0043BFAE
                                                              • __vbaI2I4.MSVBVM60 ref: 0043BFBD
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,00000002), ref: 0043BFF5
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 0043BFFD
                                                              • #631.MSVBVM60(?,?,00000002), ref: 0043C020
                                                              • __vbaStrMove.MSVBVM60(?,00000002), ref: 0043C02B
                                                              • #516.MSVBVM60(00000000,?,00000002), ref: 0043C032
                                                              • __vbaUI1I2.MSVBVM60(?,00000002), ref: 0043C03A
                                                              • __vbaFreeStr.MSVBVM60(?,00000002), ref: 0043C04C
                                                              • __vbaFreeVar.MSVBVM60(?,00000002), ref: 0043C055
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 0043C074
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,0043C0B3), ref: 0043C0AC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$BoundsErrorFreeGenerateMove$#516#631DestructRedim
                                                              • String ID: 7@
                                                              • API String ID: 1468883768-48919864
                                                              • Opcode ID: 7b35d29b8af174ee339a08a1146d4d8707398f12d67257361b7382867271c91b
                                                              • Instruction ID: 64966929683a359cae9e8a828388547a28af1b1a21351fb44f6cc7334ef25060
                                                              • Opcode Fuzzy Hash: 7b35d29b8af174ee339a08a1146d4d8707398f12d67257361b7382867271c91b
                                                              • Instruction Fuzzy Hash: D741A075900244DFCB18DFA4DD89AEEBBB9FF8C700F10812AE902B7260CB755944CBA4
                                                              Function 00424D00 Relevance: 24.1, APIs: 16, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #644.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00424D43
                                                              • __vbaLenBstr.MSVBVM60(?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424D52
                                                              • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424D68
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424D94
                                                              • #644.MSVBVM60(00000000), ref: 00424DA0
                                                              • __vbaAryLock.MSVBVM60(?,?), ref: 00424DAC
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00424DCB
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00424DD8
                                                              • __vbaLenBstr.MSVBVM60(?,00000000,?,00000000,00000000), ref: 00424DF2
                                                              • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,00000000), ref: 00424E06
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 00424E10
                                                              • __vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424E1C
                                                              • __vbaAryMove.MSVBVM60(?,?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424E2A
                                                              • __vbaAryMove.MSVBVM60(?,?,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424E38
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00424E7B,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424E74
                                                              • __vbaErrorOverflow.MSVBVM60(00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 00424E91
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$#644BoundsBstrGenerateMoveSystem$DestructLockOverflowRedimStr2Unlock
                                                              • String ID:
                                                              • API String ID: 2297530715-0
                                                              • Opcode ID: 29cbc140ae636d011def734e8661b683e8b8398d3e713bcf0331c0d6d9b35a82
                                                              • Instruction ID: adc21c00ccbbef78f68b5368a97ff7d471cd074aef38ab7be59d6ed3d817e919
                                                              • Opcode Fuzzy Hash: 29cbc140ae636d011def734e8661b683e8b8398d3e713bcf0331c0d6d9b35a82
                                                              • Instruction Fuzzy Hash: 43414F74A00215AFDB14DFA4DD89FAE7BB8FB48700F104119F605F7290D774A940CB68
                                                              Function 00442DC0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #644.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00442E00
                                                              • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00442E16
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000000,00000000), ref: 00442E39
                                                              • #644.MSVBVM60 ref: 00442E45
                                                              • __vbaAryLock.MSVBVM60(?,?), ref: 00442E51
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00442E70
                                                              • __vbaGenerateBoundsError.MSVBVM60 ref: 00442E7D
                                                              • #644.MSVBVM60(00000000), ref: 00442E8C
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 00442E98
                                                              • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,?,00000000,00000000), ref: 00442EB8
                                                              • __vbaAryMove.MSVBVM60(?,?), ref: 00442ECA
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00442F01,?,?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00442EFA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$#644$BoundsGenerateSystem$DestructLockMoveRedimUnlock
                                                              • String ID: h4@
                                                              • API String ID: 146136300-1953755629
                                                              • Opcode ID: d74dcb5a84cb15daa26773834131cb80775155f58a66e67b57a5271937495675
                                                              • Instruction ID: 0eb3a3f788650e0e89ff49eb9a2ec4db1c5362f1c53b048c2d9451f8f7bc30c7
                                                              • Opcode Fuzzy Hash: d74dcb5a84cb15daa26773834131cb80775155f58a66e67b57a5271937495675
                                                              • Instruction Fuzzy Hash: E431A374901214ABDB10DFA4CD49FAFBF78EF48B60F24411AF501B7290D7B49841CBA9
                                                              Function 00442FB0 Relevance: 22.6, APIs: 15, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00442FF2
                                                              • __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443002
                                                              • __vbaStr2Vec.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443009
                                                              • __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443013
                                                              • __vbaSetSystemError.MSVBVM60(00403488,0042650B,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443024
                                                              • __vbaSetSystemError.MSVBVM60(00403488,0042650B,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 0044303C
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000,?,00000000), ref: 0044305F
                                                              • __vbaAryLock.MSVBVM60(?,?), ref: 00443070
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044308F
                                                              • __vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0044309C
                                                              • __vbaSetSystemError.MSVBVM60(00000000,00000000,?), ref: 004430B5
                                                              • __vbaAryUnlock.MSVBVM60(?), ref: 004430BB
                                                              • __vbaAryMove.MSVBVM60(?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 004430C9
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,0044310C,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6), ref: 00443105
                                                              • __vbaErrorOverflow.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,00000000,004037E6,0042650B), ref: 00443122
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Error$MoveSystem$BoundsGenerateStr2$DestructLockOverflowRedimUnlock
                                                              • String ID:
                                                              • API String ID: 443305354-0
                                                              • Opcode ID: 266d3722d39fcefbd328feb339a7c8ef2b168e4bdad7f8e1474a1a7fa435b9c8
                                                              • Instruction ID: 3ea57a9d2c6cdf60370c8b5286b1521e957d714344ab5a67274387a593d68328
                                                              • Opcode Fuzzy Hash: 266d3722d39fcefbd328feb339a7c8ef2b168e4bdad7f8e1474a1a7fa435b9c8
                                                              • Instruction Fuzzy Hash: 36414E75900208AFDB04DFA4CD85EEEBBB8FF4C715F14852AFA01B7250D674A945CBA8
                                                              Function 00442C70 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00000000), ref: 00442CC1
                                                              • __vbaStrCopy.MSVBVM60(?,00000000), ref: 00442CD4
                                                              • __vbaVarDup.MSVBVM60(?,00000000), ref: 00442CF8
                                                              • #607.MSVBVM60(?,-00000001,?,?,00000000), ref: 00442D12
                                                              • __vbaStrVarMove.MSVBVM60(?,?,00000000), ref: 00442D1C
                                                              • __vbaStrMove.MSVBVM60(?,00000000), ref: 00442D27
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000), ref: 00442D37
                                                              • #644.MSVBVM60(?), ref: 00442D44
                                                              • __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 00442D5C
                                                              • __vbaFreeStr.MSVBVM60(00442D96,?,000000FF,00000000,00000000), ref: 00442D8F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$ErrorFreeMoveSystem$#607#644CopyList
                                                              • String ID: X4@
                                                              • API String ID: 3415219340-1343755389
                                                              • Opcode ID: 886f19dd7f461fc799d7ea7d064797c549ebf75ba670ff21f6aedf633e3b54ed
                                                              • Instruction ID: 0932d83ff1cad1b4de3ba5d0e74bf6e0333cf52dd032809e1335983c9b0191af
                                                              • Opcode Fuzzy Hash: 886f19dd7f461fc799d7ea7d064797c549ebf75ba670ff21f6aedf633e3b54ed
                                                              • Instruction Fuzzy Hash: 333171B0D01249AFDB00EFA5DE49DAEBB79FF85700F10412AF502B62A4DB745905CB99
                                                              Function 004362D0 Relevance: 21.1, APIs: 14, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,00000000,?,?,004037E6), ref: 004362EE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043631E
                                                              • #645.MSVBVM60(00004008,00000000), ref: 0043633E
                                                              • __vbaStrMove.MSVBVM60 ref: 00436349
                                                              • __vbaLenBstrB.MSVBVM60(00000000), ref: 00436350
                                                              • __vbaFreeStr.MSVBVM60 ref: 00436366
                                                              • #648.MSVBVM60(0000000A), ref: 00436391
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043639E
                                                              • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000000,00000000), ref: 004363BA
                                                              • #570.MSVBVM60(00000000), ref: 004363CC
                                                              • #525.MSVBVM60(00000000), ref: 004363D3
                                                              • __vbaStrMove.MSVBVM60 ref: 004363DE
                                                              • __vbaGet3.MSVBVM60(00000000,?,00000000), ref: 004363F6
                                                              • __vbaFileClose.MSVBVM60(00000000), ref: 00436408
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$FileFreeMove$#525#570#645#648BstrChkstkCloseErrorGet3Open
                                                              • String ID:
                                                              • API String ID: 3431710322-0
                                                              • Opcode ID: 50fd33985d81610172c54adf4208f4a29d1b9cd77c76d03e15942f686daddb47
                                                              • Instruction ID: 254e57b9662f4d9c6e17d06259106c7ce66a7db38f85a1ab9e2c0d123cc9da76
                                                              • Opcode Fuzzy Hash: 50fd33985d81610172c54adf4208f4a29d1b9cd77c76d03e15942f686daddb47
                                                              • Instruction Fuzzy Hash: BE310EB5D00208EBDB04DFA4DA48BDEBBB8FF18705F108159F511B72A0DB795A44CB68
                                                              Function 00433740 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0043375E
                                                              • __vbaOnError.MSVBVM60(000000FF,00000000,-00000001,6D4145C1,00000000,004037E6), ref: 0043378E
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,?,00000000), ref: 004337C7
                                                              • __vbaRedim.MSVBVM60(00000080,00000001,004470C8,00000011,00000001,00000000,00000000), ref: 00433848
                                                              • __vbaAryMove.MSVBVM60(?,?,00006011,004470BC,00006011,?,00004002), ref: 0043390A
                                                              • __vbaAryMove.MSVBVM60(004470C8,?,?,?,?), ref: 004339FA
                                                              • __vbaAryMove.MSVBVM60(?,?,00006011,?,00006011,?,00004002), ref: 00433B08
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,00433B42), ref: 00433B2F
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?), ref: 00433B3B
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 00438A1E
                                                                • Part of subcall function 00438890: __vbaOnError.MSVBVM60(000000FF,6D41D8B1,?,6D40A323,00000000,004037E6), ref: 00438A4E
                                                                • Part of subcall function 00438890: __vbaVarVargNofree.MSVBVM60 ref: 00438A6F
                                                                • Part of subcall function 00438890: __vbaVarSub.MSVBVM60(?,00000002,00000000), ref: 00438A7E
                                                                • Part of subcall function 00438890: __vbaI2Var.MSVBVM60(00000000), ref: 00438A85
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B0B
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B2E
                                                                • Part of subcall function 00438890: __vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00438B56
                                                                • Part of subcall function 00438890: __vbaChkstk.MSVBVM60 ref: 00438B66
                                                                • Part of subcall function 00438890: __vbaVarIndexStore.MSVBVM60(00000000,00000001), ref: 00438B89
                                                              • __vbaErrorOverflow.MSVBVM60(00000000), ref: 00433B58
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Chkstk$ErrorMove$DestructIndexRedim$LoadNofreeOverflowStoreVarg
                                                              • String ID: #
                                                              • API String ID: 2367531599-1885708031
                                                              • Opcode ID: 4be0415ab306c1f6f3bc222971011af3808c8cd18025df7090407a95abe3d5aa
                                                              • Instruction ID: 048e3e444c4c5cfdaa266ffdccfc85970270df6e31bb028742bdc5470d47a169
                                                              • Opcode Fuzzy Hash: 4be0415ab306c1f6f3bc222971011af3808c8cd18025df7090407a95abe3d5aa
                                                              • Instruction Fuzzy Hash: 72B1E6B1802208EAEB04DFD4D948BDEBBB5FF08705F10805AE5157B290D7B91B89DF69
                                                              Function 00438350 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0043836E
                                                              • __vbaOnError.MSVBVM60(000000FF,6D41D8B1,00000000,00000000,00000000,004037E6), ref: 0043839E
                                                              • __vbaInStr.MSVBVM60(00000000,0040D72C,?,00000001), ref: 004383BA
                                                              • #617.MSVBVM60(?,00004008,-00000001), ref: 004383F9
                                                              • #520.MSVBVM60(?,?), ref: 00438407
                                                              • __vbaStrVarMove.MSVBVM60(?), ref: 00438411
                                                              • __vbaStrMove.MSVBVM60 ref: 0043841C
                                                              • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0043842C
                                                              • __vbaStrCopy.MSVBVM60 ref: 00438446
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 00438491
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$ErrorMove$#520#617ChkstkCopyFreeListOverflow
                                                              • String ID: `,@
                                                              • API String ID: 4098594408-4168824844
                                                              • Opcode ID: e957787917c354d79f9f0539b0d086e6c59c305137167f755bf5f55c2db0e467
                                                              • Instruction ID: 220ce30aaeeb74d0d1796f46f72b430e27544300f9b667a2406dc649e27f562b
                                                              • Opcode Fuzzy Hash: e957787917c354d79f9f0539b0d086e6c59c305137167f755bf5f55c2db0e467
                                                              • Instruction Fuzzy Hash: 30312BB1900249EFDB00DF94CA49BDEBBB8FF08345F108159F501B7690DBB95A44CB94
                                                              Function 00445360 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • #631.MSVBVM60(?,7@,?,6D41D8B1,6D41D83C,00000000), ref: 004453B8
                                                              • __vbaStrMove.MSVBVM60(?,00000000,00000002), ref: 004453C3
                                                              • __vbaFreeVar.MSVBVM60(?,00000000,00000002), ref: 004453CC
                                                              • __vbaStrCmp.MSVBVM60(0040651C,?), ref: 004453E8
                                                              • #561.MSVBVM60(00004008), ref: 004453F9
                                                              • __vbaFreeStr.MSVBVM60(00445433,6D41D8B1,6D41D83C,00000000), ref: 0044542C
                                                              • __vbaErrorOverflow.MSVBVM60 ref: 00445449
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$#561#631ErrorMoveOverflow
                                                              • String ID: 183B3A25705A793729213018215E3A0B1C$IP:$MpONUJuVDANGqQpTnhXfepVjqtyveYrc$7@
                                                              • API String ID: 3197503391-2443856910
                                                              • Opcode ID: aace5e72541b771e6325692df26041eae38864e394e8d69337359954c6c13fd5
                                                              • Instruction ID: 4dc0c37c955a7cc9f0f7a5d48cb870623735996d9d96eebc359529dd93c44fae
                                                              • Opcode Fuzzy Hash: aace5e72541b771e6325692df26041eae38864e394e8d69337359954c6c13fd5
                                                              • Instruction Fuzzy Hash: C0217FB4D00209EFDB00DFB4D949AEEBBB4EB08742F108126E416F72A0E7745944CFA5
                                                              Function 00445450 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaLenBstr.MSVBVM60(00000000,?,7@,00000001), ref: 0044548D
                                                              • #631.MSVBVM60(?,?,?), ref: 004454B4
                                                              • __vbaStrMove.MSVBVM60(?,?,?), ref: 004454BF
                                                              • __vbaFreeVar.MSVBVM60(?,?,?), ref: 004454C8
                                                              • __vbaStrCmp.MSVBVM60(0040651C,?,?,?,?), ref: 004454E4
                                                              • #561.MSVBVM60(00004008,?,?,?), ref: 004454F5
                                                              • __vbaFreeStr.MSVBVM60(00445531), ref: 0044552A
                                                              • __vbaErrorOverflow.MSVBVM60(?,?,?), ref: 00445547
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$#561#631BstrErrorMoveOverflow
                                                              • String ID: 7@
                                                              • API String ID: 1526774655-48919864
                                                              • Opcode ID: b8064d07bf3ab590bbd7e915743cf3ebad99400367776abf3fcf7daa114b9270
                                                              • Instruction ID: a53c8747311365eaa2888f71c7a1d1eb459c2e8f3361d1b67916ed4fb2f5633a
                                                              • Opcode Fuzzy Hash: b8064d07bf3ab590bbd7e915743cf3ebad99400367776abf3fcf7daa114b9270
                                                              • Instruction Fuzzy Hash: C8212AB1D10219EFDF00EFA4D989AAEBBB8FB08705F10412AE406F7250E7746945CF95
                                                              Function 004415C0 Relevance: 15.1, APIs: 10, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 004415DE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,00000000,004037E6), ref: 0044160E
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 00441644
                                                              • __vbaStrCopy.MSVBVM60(?,00000000,?,00000000,004037E6), ref: 0044165C
                                                              • __vbaRecUniToAnsi.MSVBVM60(0040527C,?,?), ref: 00441694
                                                              • __vbaSetSystemError.MSVBVM60(00000000), ref: 004416A0
                                                              • __vbaRecAnsiToUni.MSVBVM60(0040527C,?,?), ref: 004416B3
                                                              • __vbaRecDestructAnsi.MSVBVM60(0040527C,?), ref: 004416C2
                                                              • __vbaRecDestructAnsi.MSVBVM60(0040527C,?,004416EC), ref: 004416D6
                                                              • __vbaRecDestruct.MSVBVM60(0040527C,?), ref: 004416E5
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Ansi$Destruct$CopyError$ChkstkSystem
                                                              • String ID:
                                                              • API String ID: 558074244-0
                                                              • Opcode ID: 0420359c1966fdd339460f0e6cd6fe31b12aef4b08567a79b146955dec9450ea
                                                              • Instruction ID: 612f24a05f58fb3c3e586b2768c1954b9096e1a37bbf38a8df3545079b7ef057
                                                              • Opcode Fuzzy Hash: 0420359c1966fdd339460f0e6cd6fe31b12aef4b08567a79b146955dec9450ea
                                                              • Instruction Fuzzy Hash: B231EBB4901208EFDB00DFD4DA49B9EBBB8FF48709F208159E501B7291D7B96A09CF65
                                                              Function 00404E48 Relevance: 12.0, APIs: 8, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(00000000,004037E6), ref: 0041393E
                                                              • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,004037E6), ref: 0041397A
                                                              • __vbaStrCmp.MSVBVM60(00405E48,?,?,?,?,00000000,004037E6), ref: 00413992
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,004037E6), ref: 004139B0
                                                              • __vbaStrMove.MSVBVM60(?,?,?,?,?,00000000,004037E6), ref: 004139C4
                                                              • __vbaStrCopy.MSVBVM60(?,?,?,?,00000000,004037E6), ref: 004139D2
                                                              • __vbaStrMove.MSVBVM60 ref: 004139F1
                                                              • __vbaStrMove.MSVBVM60(?,?), ref: 00413A0F
                                                              • __vbaStrCmp.MSVBVM60(00000000), ref: 00413A16
                                                              • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00413A40
                                                              • __vbaFreeVar.MSVBVM60(00416AC7), ref: 00416A9C
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AA5
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AAE
                                                              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AB7
                                                              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,004037E6), ref: 00416AC0
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Free$Move$Copy$ChkstkErrorList
                                                              • String ID:
                                                              • API String ID: 898385891-0
                                                              • Opcode ID: c75d58afd016863a7fa759e3387b43e5ab06a89d38bb6ad8ad0ce6a046c30ef3
                                                              • Instruction ID: ab76abaacb7e0c7d37249a60a3620ac8cb51b0d41ff308144e1a5f4941cb8cfc
                                                              • Opcode Fuzzy Hash: c75d58afd016863a7fa759e3387b43e5ab06a89d38bb6ad8ad0ce6a046c30ef3
                                                              • Instruction Fuzzy Hash: D21119B4904249EFDB00DF94CA49BADBBB8FF09745F108129F402772A0C7B8AA45CB59
                                                              Function 0043C3E0 Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaChkstk.MSVBVM60(?,004037E6,?,?,?,0041C10F,?,00447038), ref: 0043C3FE
                                                              • __vbaOnError.MSVBVM60(000000FF,?,00000000,?,?,004037E6), ref: 0043C42E
                                                              • #648.MSVBVM60(0000000A), ref: 0043C454
                                                              • __vbaFreeVar.MSVBVM60 ref: 0043C461
                                                              • __vbaFileOpen.MSVBVM60(00000220,000000FF,?), ref: 0043C480
                                                              • __vbaPut3.MSVBVM60(00000000,00000000,?), ref: 0043C498
                                                              • __vbaFileClose.MSVBVM60(?), ref: 0043C4AA
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$File$#648ChkstkCloseErrorFreeOpenPut3
                                                              • String ID:
                                                              • API String ID: 509661398-0
                                                              • Opcode ID: 4fa16cf116d2389cec8825c51e8b4a5336bed18a5e6f26ca4c4070749daf2f61
                                                              • Instruction ID: 57c5d92529873101f3e59cbdf78d1047187b99563213ca7311aa2ebebea37ef2
                                                              • Opcode Fuzzy Hash: 4fa16cf116d2389cec8825c51e8b4a5336bed18a5e6f26ca4c4070749daf2f61
                                                              • Instruction Fuzzy Hash: 112129B5801208EBDB00DFD4CA49B9EBBB8FB08704F208159F511B72A0C7B95A04CB69
                                                              Function 00434640 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaStrCopy.MSVBVM60(?,?,00000000), ref: 0043467F
                                                                • Part of subcall function 00438660: __vbaLenBstr.MSVBVM60(00000000,`,@,00000000,6D41D8B1), ref: 004386A9
                                                                • Part of subcall function 00438660: __vbaLenBstr.MSVBVM60 ref: 004386B7
                                                                • Part of subcall function 00438660: __vbaFpI4.MSVBVM60 ref: 004386F1
                                                                • Part of subcall function 00438660: __vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,-00000001,00000000), ref: 00438711
                                                                • Part of subcall function 00438660: __vbaUbound.MSVBVM60(00000001,?), ref: 00438720
                                                                • Part of subcall function 00438660: __vbaGenerateBoundsError.MSVBVM60 ref: 00438760
                                                                • Part of subcall function 00438660: #631.MSVBVM60(?,?,?,0040C894), ref: 00438794
                                                                • Part of subcall function 00438660: __vbaStrMove.MSVBVM60 ref: 0043879F
                                                                • Part of subcall function 00438660: __vbaStrCat.MSVBVM60(00000000), ref: 004387A2
                                                                • Part of subcall function 00438660: __vbaStrMove.MSVBVM60 ref: 004387AD
                                                              • __vbaAryMove.MSVBVM60(?,?,?), ref: 00434699
                                                              • __vbaFreeStr.MSVBVM60 ref: 004346A2
                                                              • __vbaAryDestruct.MSVBVM60(00000000,?,004346D8), ref: 004346D1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$Move$Bstr$#631BoundsCopyDestructErrorFreeGenerateRedimUbound
                                                              • String ID: 00000001
                                                              • API String ID: 444737788-3071262101
                                                              • Opcode ID: f476b1adf61e7658f8a2454bedaa6ec6b7512b6ce2372468cd13f75ddb737a01
                                                              • Instruction ID: e29bfc60fd206f1da52c8575c671e39e0cc9b6da186ff21ed137e17daf859f9f
                                                              • Opcode Fuzzy Hash: f476b1adf61e7658f8a2454bedaa6ec6b7512b6ce2372468cd13f75ddb737a01
                                                              • Instruction Fuzzy Hash: 2A01DEB5C002099FCF40EFA4D94AAEEBBB8EB48701F10816AE505F2590E7785545CB65
                                                              Function 004432F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 0044332F
                                                              • __vbaSetSystemError.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 0044333B
                                                              • __vbaStrToUnicode.MSVBVM60(?,?,?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 00443346
                                                              • __vbaFreeStr.MSVBVM60(?,?,?,00000000,?,?,?,?,00000000,004037E6), ref: 0044334F
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$AnsiErrorFreeSystemUnicode
                                                              • String ID:
                                                              • API String ID: 1195834276-0
                                                              • Opcode ID: 798d7a06fb43a309523a95348a581ab234a65605ac5dc71186f7208b4717065d
                                                              • Instruction ID: 6134c867768075c8d0030f37027ed21cfd89c0ece6a84ccc4e99a99e3098626f
                                                              • Opcode Fuzzy Hash: 798d7a06fb43a309523a95348a581ab234a65605ac5dc71186f7208b4717065d
                                                              • Instruction Fuzzy Hash: E7F0E1B5800209AFDB10DFA8C949AAFBBBCFB48705F50842AF505F7150D7785A05CBA5
                                                              Function 00442F20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __vbaSetSystemError.MSVBVM60(?,7@,?,00000000,?,?,?,00000000,004037E6), ref: 00442F60
                                                                • Part of subcall function 00442C70: __vbaSetSystemError.MSVBVM60(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00000000), ref: 00442CC1
                                                                • Part of subcall function 00442C70: __vbaStrCopy.MSVBVM60(?,00000000), ref: 00442CD4
                                                                • Part of subcall function 00442C70: __vbaFreeStr.MSVBVM60(00442D96,?,000000FF,00000000,00000000), ref: 00442D8F
                                                              • __vbaStrMove.MSVBVM60(?,?,00000000,?,?,?,00000000,004037E6), ref: 00442F77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000005.00000002.3410477819.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                              • Associated: 00000005.00000002.3410816467.0000000000448000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_400000_flakeboard.jbxd
                                                              Yara matches
                                                              Similarity
                                                              • API ID: __vba$ErrorSystem$CopyFreeMove
                                                              • String ID: 7@
                                                              • API String ID: 4132785901-48919864
                                                              • Opcode ID: f17c8b23d655576ff2251286b71c1b8e01120ea4fd21a166928ce7b4906d579d
                                                              • Instruction ID: 0bc9eb13713300dfc51e8289a46c72847d31397587c497134e9898889b9f3959
                                                              • Opcode Fuzzy Hash: f17c8b23d655576ff2251286b71c1b8e01120ea4fd21a166928ce7b4906d579d
                                                              • Instruction Fuzzy Hash: 43F068B4D00209AFC700DF75C945AAFBBB8FB48740F90852AB405B7150D7785A05CB95