Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1566854
MD5:7186a29ce1fa3f48a7d318e0b4768575
SHA1:73290e5070f43fdaabc6373056e6aeace4d449ea
SHA256:c5df6e91a9211a4240084381e885b6195b0391009c3a5554106d8d0fb852d406
Infos:

Detection

Score:24
Range:0 - 100
Whitelisted:false
Confidence:0%

Signatures

Creates an undocumented autostart registry key
Installs a global keyboard hook
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 7186A29CE1FA3F48A7D318E0B4768575)
    • setup.tmp (PID: 7316 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp" /SL5="$20434,4812598,58368,C:\Users\user\Desktop\setup.exe" MD5: 1AFBD25DB5C9A90FE05309F7C4FBCF09)
      • regsvr32.exe (PID: 7872 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 7916 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 7932 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 7992 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 8028 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • msiexec.exe (PID: 8044 cmdline: "msiexec.exe" /i "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\tscc.msi" /qn MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • msiexec.exe (PID: 8076 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • Video.UI.exe (PID: 2024 cmdline: "C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe" -ServerName:Microsoft.ZuneVideo.AppX758ya5sqdjd98rx6z7g95nw6jy7bqx9y.mca MD5: FE340ECB1D09B5BAA66DFE25AF11654F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: CurrentVersion NT Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\tsccvid64.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 8076, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\vidc.tscc
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp" /SL5="$20434,4812598,58368,C:\Users\user\Desktop\setup.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp" /SL5="$20434,4812598,58368,C:\Users\user\Desktop\setup.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 7300, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp" /SL5="$20434,4812598,58368,C:\Users\user\Desktop\setup.exe" , ProcessId: 7316, ProcessName: setup.tmp
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp, ProcessId: 7316, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Automatically Switch Between Applications At Certain Times Software.exe
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Windows\SysWOW64\tsccvid.dll, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 8076, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\vidc.tscc

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknownHTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\BuildAgent\work\7ee4797dfc367fb7\bin\x64_Release\tsccvid64.pdb source: tsccvid64.dll.16.dr
Source: Binary string: D:\BuildAgent\work\7ee4797dfc367fb7\bin\Release\tsccvid.pdb source: tsccvid.dll.16.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,1_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00453238 FindFirstFileA,GetLastError,1_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,1_2_00463B44
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpJump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 4x nop then mov eax, dword ptr [10140498h]18_2_100918C0
Source: Joe Sandbox ViewIP Address: 13.107.246.63 13.107.246.63
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /PlayReady/ACT/Activation.asmx?WSDL&Client=Win10&LinkId=613387 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-PlayReady-DRM/1.0Host: activation2.playready.microsoft.com
Source: global trafficHTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule90401v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficHTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global trafficDNS traffic detected: DNS query: settings-ssl.xboxlive.com
Source: unknownHTTP traffic detected: POST /PlayReady/ACT/Activation.asmx HTTP/1.1Connection: Keep-AliveContent-Type: text/xml; charset=utf-8Accept: */*User-Agent: Microsoft-PlayReady-DRM/1.0x-playready-info: OSVersion=10.0; ClientDllVersion=Windows.Media.Protection.PlayReady.dll/10.0.19041.2006 (WinBuild.160101.0800); Session=eacca7c5a6bc682cdfeca64c426a7eaf; StoreAppID=Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo; X-XblCorrelationId: 4891803609030095488SOAPAction: "http://schemas.microsoft.com/PlayReady/ActivationService/v1/Activate"Content-Length: 3580Host: activation2.playready.microsoft.com
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.19.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: Video.UI.exe, 00000013.00000002.2522415410.000001982F8FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?80e2
Source: Video.UI.exe, 00000013.00000003.1613698018.0000019831B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
Source: Video.UI.exe, 00000013.00000003.1613698018.0000019831B5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
Source: Video.UI.exe, 00000013.00000002.2509686626.0000019822E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-04/schema
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://ocsp.digicert.com0C
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://ocsp.digicert.com0N
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://ocsp.digicert.com0O
Source: Video.UI.exe, 00000013.00000003.1614983139.0000019831513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: 67244e.rbs.16.dr, MSI25C3.tmp.16.drString found in binary or memory: http://support.techsmith.com
Source: is-7F9SI.tmp.1.dr, is-4C6IM.tmp.1.dr, is-AVEPL.tmp.1.drString found in binary or memory: http://www.codejock.com
Source: setup.tmp, setup.tmp, 00000001.00000000.1245747882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD00T.tmp.1.dr, setup.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: setup.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: setup.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: setup.exe, 00000000.00000003.1244973334.0000000002158000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1244807517.0000000002380000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, setup.tmp, 00000001.00000000.1245747882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD00T.tmp.1.dr, setup.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: setup.exe, 00000000.00000003.1244973334.0000000002158000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1244807517.0000000002380000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000001.00000000.1245747882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD00T.tmp.1.dr, setup.tmp.0.drString found in binary or memory: http://www.remobjects.com/psU
Source: Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drString found in binary or memory: http://www.sobolsoft.com/
Source: Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drString found in binary or memory: http://www.sobolsoft.com/contact/
Source: 67244e.rbs.16.dr, MSI25C3.tmp.16.drString found in binary or memory: http://www.techsmith.com
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: http://www.techsmith.com0
Source: Video.UI.exe, 00000013.00000002.2525368096.00000198314AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: Video.UI.exe, 00000013.00000002.2525368096.00000198314AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
Source: Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local
Source: Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.local/
Source: Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localhttps://login.windows.net68882
Source: Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/
Source: Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.netC:
Source: Video.UI.exe, 00000013.00000002.2522415410.000001982F8FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://musicimage.xboxlive.comtBeforeRS2ent/v10_video/configuration.xml
Source: Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drString found in binary or memory: https://order.shareit.com/cart/add?vendorid=200277235&PRODUCT
Source: Video.UI.exe, 00000013.00000002.2525132276.000001983141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/
Source: Video.UI.exe, 00000013.00000002.2525132276.000001983141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/.xml
Source: Video.UI.exe, 00000013.00000002.2522415410.000001982F8FE000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000013.00000002.2525988984.0000019831D00000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000013.00000002.2522303967.000001982F862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xml
Source: Video.UI.exe, 00000013.00000002.2525988984.0000019831D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xmlAC
Source: 67244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drString found in binary or memory: https://www.digicert.com/CPS0
Source: Automatically Switch Between Applications At Certain Times Software.exeString found in binary or memory: https://www.sobolsoft.com/
Source: Automatically Switch Between Applications At Certain Times Software.exeString found in binary or memory: https://www.sobolsoft.com/contact/
Source: Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drString found in binary or memory: https://www.sobolsoft.com/contact/4https://www.sobolsoft.com/__vbaR4Var
Source: Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drString found in binary or memory: https://www.sobolsoft.com/question/
Source: Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49972
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49967 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49909 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49849
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
Source: unknownNetwork traffic detected: HTTP traffic on port 49886 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49967
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49966
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49963
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49962
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
Source: unknownNetwork traffic detected: HTTP traffic on port 49966 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49838
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49832
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49910 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49968 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49888
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49886
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
Source: unknownNetwork traffic detected: HTTP traffic on port 49863 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49879
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49878
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49877
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49875
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49873
Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49818 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49871
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49868
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49906 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49873 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49930 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49963 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49871 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49942 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49838 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49908 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49961 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49972 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49938 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49845 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49868 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49879 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49940 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49962 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49970 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49878 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49912 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49969 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49942
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49940
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49818
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49938
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49937
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49936
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49930
Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49971 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49936 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49877 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
Source: unknownNetwork traffic detected: HTTP traffic on port 49937 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49912
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49910
Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49843 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49959 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49832 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49909
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49908
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49906
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
Source: unknownNetwork traffic detected: HTTP traffic on port 49888 -> 443
Source: unknownHTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49764 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.7:49774 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeWindows user hook set: 1720 mouse C:\Windows\SYSTEM32\MSVBVM60.DLLJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeWindows user hook set: 5520 call wnd proc C:\Windows\System32\shcore.dll
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100B53B1 #3797,#5290,GetKeyState,GetKeyState,#3797,#4390,GetKeyState,#3797,#4390,GetKeyState,#3797,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,#5290,18_2_100B53B1
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100B46A0 #3797,SendMessageA,#3874,#4129,#858,#4278,#939,#800,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,#800,18_2_100B46A0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1004C7D0 #3797,SendMessageA,#3874,#4129,#858,#4278,#939,#800,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,#800,18_2_1004C7D0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100B53B1 #3797,#5290,GetKeyState,GetKeyState,#3797,#4390,GetKeyState,#3797,#4390,GetKeyState,#3797,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,#5290,18_2_100B53B1
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_10021120 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,#2864,GetParent,#2864,IsWindowVisible,SendMessageA,#3496,GetParent,#2864,SendMessageA,#1133,#1940,#1940,#1133,#2122,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,_mbscmp,free,CopyRect,CopyRect,CopyRect,EqualRect,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,free,free,free,#2864,GetParent,GetParent,#2864,18_2_10021120
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100D9170 #6467,GetFocus,GetFocus,GetFocus,IsChild,GetKeyState,GetKeyState,GetKeyState,GetKeyState,18_2_100D9170
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1001DF60 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetCursorPos,IsWindow,IsWindow,#2864,GetWindowRect,#6605,PtInRect,18_2_1001DF60
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100A0490 #823,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,#3237,#2795,#4021,18_2_100A0490
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100A05D0 #823,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,#3237,#2795,#4021,18_2_100A05D0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100E0B90 GetCursorPos,SetForegroundWindow,#2795,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetCursorPos,GetKeyState,GetKeyState,GetKeyState,GetKeyState,#2795,GetCursorPos,SetForegroundWindow,GetKeyState,GetKeyState,GetKeyState,GetKeyState,#2795,#2795,18_2_100E0B90
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1004CDA0 #3797,GetKeyState,GetKeyState,GetKeyState,#2379,#3874,#2379,#3874,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,#3874,#3874,#5856,#5856,#2379,18_2_1004CDA0
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00424014 NtdllDefWindowProc_A,1_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042FA00 NtdllDefWindowProc_A,1_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00412A68 NtdllDefWindowProc_A,1_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0047AC34 NtdllDefWindowProc_A,1_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457E24
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042EDC4
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00455E14
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67244c.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI25C3.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\tsccvid.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\tsccvid64.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67244f.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67244f.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\67244f.msiJump to behavior
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004088C00_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004720901_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004908301_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004688B81_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00482CD81_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004521941_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0043E2401_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0043083C1_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0046A9741_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004449B81_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00434AB41_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00444F601_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0048908C1_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004313C81_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004456581_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004357B81_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0045F9541_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00445A641_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0045BA041_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00489FEC1_2_00489FEC
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F439018_2_032F4390
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E817018_2_032E8170
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E66B018_2_032E66B0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032CC54018_2_032CC540
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F040018_2_032F0400
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032EA41018_2_032EA410
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E892B18_2_032E892B
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032AE95018_2_032AE950
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F09B018_2_032F09B0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F0E2018_2_032F0E20
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F2CB018_2_032F2CB0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032ED2D018_2_032ED2D0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E905018_2_032E9050
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032ED61018_2_032ED610
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F141018_2_032F1410
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E947618_2_032E9476
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F1B2418_2_032F1B24
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032EFB0018_2_032EFB00
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E990018_2_032E9900
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E79B018_2_032E79B0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032EDF2018_2_032EDF20
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E9F2018_2_032E9F20
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032ADF0018_2_032ADF00
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032F3E1018_2_032F3E10
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032A7D2018_2_032A7D20
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032EFD9018_2_032EFD90
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032D1C7018_2_032D1C70
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_032E9CF018_2_032E9CF0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100651B018_2_100651B0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100691B018_2_100691B0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100353C018_2_100353C0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100656A018_2_100656A0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100C970018_2_100C9700
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1004181018_2_10041810
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006194018_2_10061940
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006DF4018_2_1006DF40
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006C0B018_2_1006C0B0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100642E018_2_100642E0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100043B018_2_100043B0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1000C54018_2_1000C540
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006856018_2_10068560
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100545F018_2_100545F0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006C6A018_2_1006C6A0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006470618_2_10064706
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100688A018_2_100688A0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1002C8F018_2_1002C8F0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1007C91018_2_1007C910
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1002CB3018_2_1002CB30
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_10064B9018_2_10064B90
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100A4D7018_2_100A4D70
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006CDB418_2_1006CDB4
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_10064F8018_2_10064F80
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006B02018_2_1006B020
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006F0A018_2_1006F0A0
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1009311018_2_10093110
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_100D332018_2_100D3320
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006340018_2_10063400
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006F62018_2_1006F620
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_1006B69018_2_1006B690
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 100EABFA appears 74 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 032E4C00 appears 122 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 1005FE90 appears 59 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 032A1610 appears 123 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 1008CE40 appears 60 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 032D2E20 appears 58 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 100E9EC2 appears 56 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 1005FDD0 appears 45 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 1008C5A0 appears 47 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 1008BFF0 appears 47 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 100EAC00 appears 77 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 032E4B40 appears 60 times
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: String function: 032C29B0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: String function: 00407D84 appears 43 times
Source: setup.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: setup.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: setup.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-MD00T.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-MD00T.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-MD00T.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-AVEPL.tmp.1.drStatic PE information: No import functions for PE file found
Source: setup.exe, 00000000.00000003.1244973334.0000000002158000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs setup.exe
Source: setup.exe, 00000000.00000003.1244807517.0000000002380000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs setup.exe
Source: setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: @*\AC:\Sobolsoft\Automatically Switch Between Applications At Certain Times Software\Project1.vbp
Source: Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drBinary or memory string: pHF4@pH*\AC:\Sobolsoft\Automatically Switch Between Applications At Certain Times Software\Project1.vbp
Source: Automatically Switch Between Applications At Certain Times Software.exeBinary or memory string: H*\AC:\Sobolsoft\Automatically Switch Between Applications At Certain Times Software\Project1.vbp
Source: classification engineClassification label: sus24.spyw.winEXE@19/71@1/1
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_00455E14
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,1_2_0045663C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00456E68 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,1_2_00456E68
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,0_2_0040A10C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times SoftwareJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeMutant created: NULL
Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile read: C:\Program Files (x86)\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: setup.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: Automatically Switch Between Applications At Certain Times Software.exeString found in binary or memory: https://order.shareit.com/cart/add?vendorid=200277235&PRODUCT[300853495]=1
Source: setup.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\setup.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp" /SL5="$20434,4812598,58368,C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX"
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx"
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" /i "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\tscc.msi" /qn
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe"
Source: unknownProcess created: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe" -ServerName:Microsoft.ZuneVideo.AppX758ya5sqdjd98rx6z7g95nw6jy7bqx9y.mca
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp" /SL5="$20434,4812598,58368,C:\Users\user\Desktop\setup.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" /i "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\tscc.msi" /qnJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe"Jump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: policymanager.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: twinui.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: mrmcorer.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: olepro32.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: asycfilt.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: sharedui.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: concrt140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: netutils.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: esent.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: logoncli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: profapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: clipc.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: appxdeploymentclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.system.profile.retailinfo.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.media.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.graphics.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.ui.xaml.phone.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.energy.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.devices.enumeration.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: wuceffects.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.media.playback.mediaplayer.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mfplat.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: rtworkq.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.media.mediacontrol.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mmdevapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: devobj.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mfmediaengine.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: audioses.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.media.devices.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.media.playback.proxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: devdispitemprovider.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.web.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ddores.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: defaultdevicemanager.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: userenv.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: profext.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: comppkgsup.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mfsrcsnk.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mfcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ksuser.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: avrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mfsvr.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: msvproc.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mp4sdecd.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mfperfhelper.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: msdmo.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.graphics.display.brightnessoverride.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.graphics.display.displayenhancementoverride.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mscms.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: coloradapterclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: sspicli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.media.protection.playready.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: msxml6.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: wpnapps.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.networking.backgroundtransfer.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: wininet.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.applicationmodel.lockscreen.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: wincorlib.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: lockappbroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: msvcp110_win.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.security.authentication.web.core.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: vaultcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: windows.applicationmodel.background.timebroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: biwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: microsoftaccountwamextension.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: winhttp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dhcpcsvc6.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dhcpcsvc.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: webio.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mswsock.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: winnsi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dnsapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: rasadhlp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: schannel.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mskeyprotect.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ntasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ncrypt.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: ncryptsslp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: cryptnet.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: dpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: gnsdk_fp.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mf.dll
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeSection loaded: mfps.dll
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: Automatically Switch Between Applications At Certain Times Software.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe
Source: Uninstall Automatically Switch Between Applications At Certain Times Software.lnk.1.drLNK file: ..\..\..\..\..\..\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\unins000.exe
Source: Automatically Switch Between Applications At Certain Times Software.lnk0.1.drLNK file: ..\..\..\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeWindow detected: Number of UI elements: 11
Source: C:\Windows\SysWOW64\regsvr32.exeKey value created or modified: HKEY_CURRENT_USER\Control Panel\Mouse MouseHoverTimeJump to behavior
Source: setup.exeStatic file information: File size 5061675 > 1048576
Source: setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\BuildAgent\work\7ee4797dfc367fb7\bin\x64_Release\tsccvid64.pdb source: tsccvid64.dll.16.dr
Source: Binary string: D:\BuildAgent\work\7ee4797dfc367fb7\bin\Release\tsccvid.pdb source: tsccvid.dll.16.dr
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450A28
Source: tsccvid.dll.16.drStatic PE information: section name: .00cfg
Source: tsccvid64.dll.16.drStatic PE information: section name: RT_CODE
Source: tsccvid64.dll.16.drStatic PE information: section name: .00cfg
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00406A50 push 00406A8Dh; ret 0_2_00406A85
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004093EC push 0040941Fh; ret 0_2_00409417
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004085B8 push ecx; mov dword ptr [esp], eax0_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00409DDC push 00409E19h; ret 1_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0041A0B8 push ecx; mov dword ptr [esp], ecx1_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00452194 push ecx; mov dword ptr [esp], eax1_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004062CC push ecx; mov dword ptr [esp], eax1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0040A2DF push ds; ret 1_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004605AC push ecx; mov dword ptr [esp], ecx1_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00458848 push 00458880h; ret 1_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00410970 push ecx; mov dword ptr [esp], edx1_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00412DB8 push 00412E1Bh; ret 1_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0040D2C8 push ecx; mov dword ptr [esp], edx1_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0040F828 push ecx; mov dword ptr [esp], edx1_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00443930 push ecx; mov dword ptr [esp], ecx1_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00487AF0 push ecx; mov dword ptr [esp], ecx1_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00459B60 push 00459BA4h; ret 1_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00497B18 push ecx; mov dword ptr [esp], ecx1_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00479C7C push ecx; mov dword ptr [esp], edx1_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00451FD0 push 00452003h; ret 1_2_00451FFB
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeCode function: 18_2_00409D1D push ebp; retf 18_2_00409D2B
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-4C6IM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DEHM1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-NDUG5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-MD00T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\tsccvid.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-AVEPL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx (copy)Jump to dropped file
Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-0CP1D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\tsccvid64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-7F9SI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-N12AD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-JJ543.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\o.cjs (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\tsccvid.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\tsccvid64.dllJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 vidc.tsccJump to behavior
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 vidc.tsccJump to behavior
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 vidc.tsccJump to behavior
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 vidc.tsccJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Automatically Switch Between Applications At Certain Times SoftwareJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Automatically Switch Between Applications At Certain Times Software\Uninstall Automatically Switch Between Applications At Certain Times Software.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Automatically Switch Between Applications At Certain Times Software.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Automatically Switch Between Applications At Certain Times Software.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0041815E IsIconic,SetWindowPos,1_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042466C IsIconic,SetActiveWindow,SetFocus,1_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00424624 IsIconic,SetActiveWindow,1_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,1_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00417A28 IsIconic,GetCapture,1_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_00485CFC
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F5A8
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\Desktop\setup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-4C6IM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DEHM1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-NDUG5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-MD00T.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tsccvid.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-AVEPL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-0CP1D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\tsccvid64.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-7F9SI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-JJ543.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\o.cjs (copy)Jump to dropped file
Source: C:\Users\user\Desktop\setup.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5996
Source: C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exeAPI coverage: 4.3 %
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeFile opened: PhysicalDrive0
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,1_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00453238 FindFirstFileA,GetLastError,1_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,1_2_00463B44
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_0040A050
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpJump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Source: Video.UI.exe, 00000013.00000002.2526032503.0000019831D1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Video.UI.exe, 00000013.00000002.2525470827.00000198314F7000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000013.00000002.2520062567.000001982ED13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00450A28
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_0047A678
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,1_2_0042F294
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E52C
Source: Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmp, is-4C6IM.tmp.1.drBinary or memory string: Shell_TrayWnd
Source: Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmp, is-4C6IM.tmp.1.drBinary or memory string: ShowBalloonTipCTrayIconCtrlTaskbarCreatedshell32.dllTrayClockWClassTrayNotifyWndShell_TrayWndNodeClickCollapseExpandNodeCheck
Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoA,0_2_00405694
Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoA,0_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: GetLocaleInfoA,1_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: GetLocaleInfoA,1_2_00408A44
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_00458E58
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmpCode function: 1_2_00455DCC GetUserNameA,1_2_00455DCC
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,0_2_00404654

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		2
Native API		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Deobfuscate/Decode Files or Information		111
Input Capture		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		111
Registry Run Keys / Startup Folder		1
DLL Side-Loading		3
Obfuscated Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol111
Input Capture		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Access Token Manipulation		1
DLL Side-Loading		Security Account Manager1
Account Discovery		SMB/Windows Admin Shares3
Clipboard Data		3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook3
Process Injection		1
File Deletion		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script111
Registry Run Keys / Startup Folder		22
Masquerading		LSA Secrets36
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Query Registry		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync11
Security Software Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
Process Injection		Proc Filesystem1
Virtualization/Sandbox Evasion		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow2
Process Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
Application Window Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture3
System Owner/User Discovery		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566854 Sample: setup.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 24 42 shed.dual-low.s-part-0035.t-0009.t-msedge.net 2->42 44 settings-ssl.xboxlive.com 2->44 46 3 other IPs or domains 2->46 7 setup.exe 2 2->7         started        10 msiexec.exe 90 36 2->10         started        13 Video.UI.exe 2->13         started        process3 dnsIp4 36 C:\Users\user\AppData\Local\...\setup.tmp, PE32 7->36 dropped 16 setup.tmp 24 32 7->16         started        38 C:\Windows\SysWOW64\tsccvid64.dll, PE32+ 10->38 dropped 40 C:\Windows\SysWOW64\tsccvid.dll, PE32 10->40 dropped 52 Creates an undocumented autostart registry key 10->52 48 s-part-0035.t-0009.t-msedge.net 13.107.246.63, 443, 49699, 49700 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->48 54 Installs a global keyboard hook 13->54 file5 signatures6 process7 file8 28 Automatically Swit...Software.exe (copy), PE32 16->28 dropped 30 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->30 dropped 32 C:\Program Files (x86)\...\sbls.ocx (copy), PE32 16->32 dropped 34 14 other files (none is malicious) 16->34 dropped 19 Automatically Switch Between Applications At Certain Times Software.exe 5 1 16->19         started        22 regsvr32.exe 355 16->22         started        24 regsvr32.exe 150 16->24         started        26 4 other processes 16->26 process9 signatures10 50 Installs a global keyboard hook 19->50

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
setup.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe (copy)0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx (copy)0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX (copy)0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-0CP1D.tmp0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-JJ543.tmp0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-MD00T.tmp4%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-N12AD.tmp0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-NDUG5.tmp0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx (copy)0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\unins000.exe (copy)4%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-4C6IM.tmp0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-7F9SI.tmp0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-AVEPL.tmp0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\o.cjs (copy)0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx (copy)0%ReversingLabs
C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DEHM1.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp3%ReversingLabs
C:\Windows\SysWOW64\tsccvid.dll0%ReversingLabs
C:\Windows\SysWOW64\tsccvid64.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.sobolsoft.com/0%Avira URL Cloudsafe
http://www.sobolsoft.com/contact/0%Avira URL Cloudsafe
https://login.windows.localhttps://login.windows.net688820%Avira URL Cloudsafe
https://www.sobolsoft.com/contact/4https://www.sobolsoft.com/__vbaR4Var0%Avira URL Cloudsafe
http://www.codejock.com0%Avira URL Cloudsafe
https://login.windows.netC:0%Avira URL Cloudsafe
https://www.sobolsoft.com/question/0%Avira URL Cloudsafe
https://order.shareit.com/cart/add?vendorid=200277235&PRODUCT0%Avira URL Cloudsafe
https://musicimage.xboxlive.comtBeforeRS2ent/v10_video/configuration.xml0%Avira URL Cloudsafe
https://www.sobolsoft.com/contact/0%Avira URL Cloudsafe
https://www.sobolsoft.com/0%Avira URL Cloudsafe
http://www.techsmith.com00%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    s-part-0035.t-0009.t-msedge.net
    		13.107.246.63
    		truefalse
      		high
      settings-ssl.xboxlive.com
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.innosetup.com/setup.tmp, setup.tmp, 00000001.00000000.1245747882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD00T.tmp.1.dr, setup.tmp.0.drfalse
          		high
          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUsetup.exefalse
            		high
            http://www.sobolsoft.com/Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://xsts.auth.xboxlive.comVideo.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.sobolsoft.com/contact/Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinesetup.exefalse
                		high
                https://login.windows.netC:Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.codejock.comis-7F9SI.tmp.1.dr, is-4C6IM.tmp.1.dr, is-AVEPL.tmp.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://settings-ssl.xboxlive.com/Video.UI.exe, 00000013.00000002.2525132276.000001983141B000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.techsmith.com67244e.rbs.16.dr, MSI25C3.tmp.16.drfalse
                    		high
                    https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xmlACVideo.UI.exe, 00000013.00000002.2525988984.0000019831D00000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://www.sobolsoft.com/question/Automatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://json-schema.org/draft-04/schemaVideo.UI.exe, 00000013.00000002.2509686626.0000019822E2E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://login.windows.local/Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://musicimage.xboxlive.comtBeforeRS2ent/v10_video/configuration.xmlVideo.UI.exe, 00000013.00000002.2522415410.000001982F8FE000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://login.windows.localhttps://login.windows.net68882Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://login.windows.localVideo.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://login.windows.net/Video.UI.exe, 00000013.00000002.2522930702.000001982F9AC000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.remobjects.com/psUsetup.exe, 00000000.00000003.1244973334.0000000002158000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1244807517.0000000002380000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, 00000001.00000000.1245747882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD00T.tmp.1.dr, setup.tmp.0.drfalse
                                		high
                                http://schemas.xmlsoap.org/soap/httpVideo.UI.exe, 00000013.00000003.1614983139.0000019831513000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.sobolsoft.com/contact/4https://www.sobolsoft.com/__vbaR4VarAutomatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0dVideo.UI.exe, 00000013.00000003.1613698018.0000019831B5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://settings-ssl.xboxlive.com/.xmlVideo.UI.exe, 00000013.00000002.2525132276.000001983141B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://settings-ssl.xboxlive.com/XBLWinClient/v10_video/configuration.xmlVideo.UI.exe, 00000013.00000002.2522415410.000001982F8FE000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000013.00000002.2525988984.0000019831D00000.00000004.00000020.00020000.00000000.sdmp, Video.UI.exe, 00000013.00000002.2522303967.000001982F862000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://support.techsmith.com67244e.rbs.16.dr, MSI25C3.tmp.16.drfalse
                                          		high
                                          https://order.shareit.com/cart/add?vendorid=200277235&PRODUCTAutomatically Switch Between Applications At Certain Times Software.exe, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Automatically Switch Between Applications At Certain Times Software.exe, 00000012.00000000.1436731174.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, is-N12AD.tmp.1.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.sobolsoft.com/contact/Automatically Switch Between Applications At Certain Times Software.exefalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.remobjects.com/pssetup.exe, 00000000.00000003.1244973334.0000000002158000.00000004.00001000.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1244807517.0000000002380000.00000004.00001000.00020000.00000000.sdmp, setup.tmp, setup.tmp, 00000001.00000000.1245747882.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-MD00T.tmp.1.dr, setup.tmp.0.drfalse
                                            		high
                                            http://www.techsmith.com067244f.msi.16.dr, is-FDRLL.tmp.1.dr, 67244c.msi.16.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crlVideo.UI.exe, 00000013.00000003.1613698018.0000019831B5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.sobolsoft.com/Automatically Switch Between Applications At Certain Times Software.exefalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              13.107.246.63
                                              		s-part-0035.t-0009.t-msedge.netUnited States
                                              		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1566854
                                              Start date and time:2024-12-02 18:44:55 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 22s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:30
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:setup.exe
                                              Detection:SUS
                                              Classification:sus24.spyw.winEXE@19/71@1/1
                                              EGA Information:
                                              • Successful, ratio: 75%
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 228
                                              • Number of non-executed functions: 157
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 199.232.210.172, 184.30.249.239, 2.20.40.8
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, e87.dspb.akamaiedge.net, activation2.playready.microsoft.com, fe3cr.delivery.mp.microsoft.com, e11290.dspg.akamaiedge.net, go.microsoft.com, login.live.com, star-azurefd-prod.trafficmanager.net, go.microsoft.com.edgekey.net, settings-ssl.xboxlive.com.edgekey.net, wu-b-net.trafficmanager.net, traf-activation-global.trafficmanager.net
                                              • Execution Graph export aborted for target Video.UI.exe, PID 2024 because there are no executed function
                                              • HTTPS sessions have been limited to 150. Please view the PCAPs for the complete data.
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • Report size getting too big, too many NtSetValueKey calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: setup.exe

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              13.107.246.63http://mailgun.internationalsos.com/c/eJxUzcGO2yoYxfGngR0RYIxhwcKO4d5ITRuNpyN1ieFLhtYGy7it5u2rLGd5jvTX77_rdIVa_QMuo-GKMqnahuEpHRDKDpcD1stoUDe0cuDtKAbCGtsRofuBaMktGRRzfSdGRgVD3fip_OLz47d_gIH86X-DvaaSDcPTR30K0UgcjQAW7hgM6xqupNSa4nej52YOSrVRNJ7OAhRwJmcRwj3ArEKHkxnP0tmzUoRa3hHBdEsGJzviBqbcMGrba4cE_T5ZNv3f36br622iDV7M-3FsFTU94g5xF2Jmp5QP2LM_Usl-qaWeQlkRdwRx97PWFWLyiLvN5whrCog7lxaoiLvocyQb2SK5P2fKx0JqqWQrSypk9R-EUy5OW7wjy5GiSJ_xbl6-_Ti92Zfptb_d7Fck6F7Cr7-lLE8X_zH8XwAAAP__jX59nwGet hashmaliciousUnknownBrowse
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                    Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                      New Order.xlsGet hashmaliciousUnknownBrowse
                                                        file.exeGet hashmaliciousLummaC StealerBrowse
                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                            https://a.rs6.net/1/pc?ep=e4f2f4ad2c30fbb2SK2ZyQxbsE02cV3UOfuPD-JxSRgUD6Y86mFtUF3WRqjeuMrz9o3Xbb320wCTDsWWUHuFG0qWroCiniptiREBdHyyzdrPc45m6t-HBEB7SZ8gZX4dYr4o80JwDUJz1eSGQlrcb9as_P_3jZu-t-DrRTdQARm9vPjp5IAqdyzm4bLxpaVnP8_0eRiLoUggvzge&c=$%7bContact.encryptedContactId%7dGet hashmaliciousHTMLPhisherBrowse
                                                              https://secure_sharing0utlook.wesendit.com/dl/ON6fQWpNLtFc53e1u/bWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWsGet hashmaliciousHTMLPhisherBrowse
                                                                file.exeGet hashmaliciousLummaC StealerBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  bg.microsoft.map.fastly.netzdi.txt.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                                                                  • 199.232.210.172
                                                                  Wc pay benefit.pdfGet hashmaliciousUnknownBrowse
                                                                  • 199.232.214.172
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 199.232.210.172
                                                                  file.exeGet hashmaliciousNymaimBrowse
                                                                  • 199.232.210.172
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 199.232.210.172
                                                                  RFQ-2309540_27112024.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 199.232.210.172
                                                                  faktura461250706050720242711#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                  • 199.232.214.172
                                                                  11315781264#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                  • 199.232.214.172
                                                                  30180908_signed#U00b7pdf.vbsGet hashmaliciousUnknownBrowse
                                                                  • 199.232.214.172
                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                  • 199.232.214.172
                                                                  s-part-0035.t-0009.t-msedge.nethttp://mailgun.internationalsos.com/c/eJxUzcGO2yoYxfGngR0RYIxhwcKO4d5ITRuNpyN1ieFLhtYGy7it5u2rLGd5jvTX77_rdIVa_QMuo-GKMqnahuEpHRDKDpcD1stoUDe0cuDtKAbCGtsRofuBaMktGRRzfSdGRgVD3fip_OLz47d_gIH86X-DvaaSDcPTR30K0UgcjQAW7hgM6xqupNSa4nej52YOSrVRNJ7OAhRwJmcRwj3ArEKHkxnP0tmzUoRa3hHBdEsGJzviBqbcMGrba4cE_T5ZNv3f36br622iDV7M-3FsFTU94g5xF2Jmp5QP2LM_Usl-qaWeQlkRdwRx97PWFWLyiLvN5whrCog7lxaoiLvocyQb2SK5P2fKx0JqqWQrSypk9R-EUy5OW7wjy5GiSJ_xbl6-_Ti92Zfptb_d7Fck6F7Cr7-lLE8X_zH8XwAAAP__jX59nwGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 13.107.246.63
                                                                  d3dx9_43.dllGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 13.107.246.63
                                                                  Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  PO_1111101161.vbsGet hashmaliciousFormBookBrowse
                                                                  • 13.107.246.63
                                                                  New Order.xlsGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 13.107.246.63
                                                                  RFQ_PX2_MULE2024_Travco_Engineering_Construction_PDF.exeGet hashmaliciousRemcosBrowse
                                                                  • 13.107.246.63
                                                                  021337ISOGENERAL.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                  • 13.107.246.63

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSFW_ Your NCIC certification has expired or will be expiring soon.emlGet hashmaliciousUnknownBrowse
                                                                  • 104.47.64.28
                                                                  http://mailgun.internationalsos.com/c/eJxUzcGO2yoYxfGngR0RYIxhwcKO4d5ITRuNpyN1ieFLhtYGy7it5u2rLGd5jvTX77_rdIVa_QMuo-GKMqnahuEpHRDKDpcD1stoUDe0cuDtKAbCGtsRofuBaMktGRRzfSdGRgVD3fip_OLz47d_gIH86X-DvaaSDcPTR30K0UgcjQAW7hgM6xqupNSa4nej52YOSrVRNJ7OAhRwJmcRwj3ArEKHkxnP0tmzUoRa3hHBdEsGJzviBqbcMGrba4cE_T5ZNv3f36br622iDV7M-3FsFTU94g5xF2Jmp5QP2LM_Usl-qaWeQlkRdwRx97PWFWLyiLvN5whrCog7lxaoiLvocyQb2SK5P2fKx0JqqWQrSypk9R-EUy5OW7wjy5GiSJ_xbl6-_Ti92Zfptb_d7Fck6F7Cr7-lLE8X_zH8XwAAAP__jX59nwGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 13.107.246.63
                                                                  https://merchbkofin.com/Get hashmaliciousUnknownBrowse
                                                                  • 13.107.42.14
                                                                  https://public-usa.mkt.dynamics.com/api/orgs/010a432a-e2a3-ef11-8a66-6045bd016f25/r/movKLLTpWUCqpRQQ2_8SfQEAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fapp.seesaw.me%252Fpages%252Fshared_item%253Fitem_id%253Ditem.96abdfb3-93cb-482c-822f-f1d275a42e6e%2526share_token%253DDfLCj_YZQZedsrWVvLwerg%2526mode%253Dshare%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%221%22%3Anull%7D%7D&digest=kBeCY6h3I2oKWHussXexCqSpSk%2BEhyyLm0j2TqAuyLY%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15eeGet hashmaliciousUnknownBrowse
                                                                  • 52.146.76.30
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 13.107.246.63
                                                                  Swiftcopy.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                  • 52.113.195.132
                                                                  New Order.xlsGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 13.107.246.63
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 13.107.246.63

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  28a2c9bd18a11de089ef85a160da29e4file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                  • 13.107.246.63
                                                                  FW_ Your NCIC certification has expired or will be expiring soon.emlGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  Wc pay benefit.pdfGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  http://mailgun.internationalsos.com/c/eJxUzcGO2yoYxfGngR0RYIxhwcKO4d5ITRuNpyN1ieFLhtYGy7it5u2rLGd5jvTX77_rdIVa_QMuo-GKMqnahuEpHRDKDpcD1stoUDe0cuDtKAbCGtsRofuBaMktGRRzfSdGRgVD3fip_OLz47d_gIH86X-DvaaSDcPTR30K0UgcjQAW7hgM6xqupNSa4nej52YOSrVRNJ7OAhRwJmcRwj3ArEKHkxnP0tmzUoRa3hHBdEsGJzviBqbcMGrba4cE_T5ZNv3f36br622iDV7M-3FsFTU94g5xF2Jmp5QP2LM_Usl-qaWeQlkRdwRx97PWFWLyiLvN5whrCog7lxaoiLvocyQb2SK5P2fKx0JqqWQrSypk9R-EUy5OW7wjy5GiSJ_xbl6-_Ti92Zfptb_d7Fck6F7Cr7-lLE8X_zH8XwAAAP__jX59nwGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  https://pa.compassionatetraveler.org/kqawsedrftgyhugtfrdesedrftgyhujwsedrfgtyhhygtfrderftghyujikiujhygtfrtgyhujjuhygtfrtgyhuji%20Get hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  http://ar-oracle.comGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  ATT4802.htmlGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  Flumroc.docxGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.63
                                                                  https://05kqatnrj9s0snah9.phish.farm/XckdRam1iZXdLcHBTUFlJTlR4SkE5bGxnQ0I0VmtpVFhRWTltRlk3ejQvN2h4WHR0SlJUOXVLRkF5QkQ1R1dlRVVMYWg3RlJPUWwwUFRyeXJqWkhrNHZqU0ErUy9KTC9GRU5UNU9LOFBMaCtIOUgrWG85c2NJdXRVVGY4eG5FVEYrOGgyRGlBQnE2dlQxK1ptMGkvRkUwbkJSMGpnZkMxU2tvSlp3YURJOVFqWkZrV0VLaGJQbldEdS0tV21LS01kOGpOSC9ZWlk0Ry0tZ2ZTcE9EMnkvSHVVSkUvTEhEOWFKQT09?cid=2293724267Get hashmaliciousKnowBe4Browse
                                                                  • 13.107.246.63

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx (copy)setup (1).exeGet hashmaliciousUnknownBrowse
                                                                    SSATv3_Setup-6-6-2008.exeGet hashmaliciousUnknownBrowse
                                                                      NuDesign_MIBrowserBasic010_v10.2.0 (3).exeGet hashmaliciousUnknownBrowse
                                                                        ITpipes 20154P.exeGet hashmaliciousUnknownBrowse
                                                                          ITpipes 20154P.exeGet hashmaliciousUnknownBrowse
                                                                            LCY_NewESD_Software.7zGet hashmaliciousUnknownBrowse
                                                                              NetSetup.exeGet hashmaliciousUnknownBrowse
                                                                                Setup(German).exeGet hashmaliciousUnknownBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Config.Msi\67244e.rbs

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):12724
                                                                                  Entropy (8bit):5.568370651394601
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:uYChai/AUEFEUApeg210wOIm10wO68s9UPpa6A:uYChai/ncr10wQ10wss+s6A
                                                                                  MD5:4455A85885230DC93A9CA5667ACDF623
                                                                                  SHA1:B7008CBC7F35EB30E59C99A6A8215608BD2EBFF9
                                                                                  SHA-256:446D23AE5A14576565B212CD6E57B8ECD4FC5B4E602D14696DA96F79C9FEE48C
                                                                                  SHA-512:5C7091B7F6A7A47F5F01211A3A9963421370BB62E70D5A0CE0EA5A4FB80D17154BC1D1D2F0A31EA15E5130BD29853E7FB42B41586728BC19BC9AD1A25349165A
                                                                                  Malicious:false
                                                                                  Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}..TechSmith Screen Capture Codec..tscc.msi.@.....@.....@.....@........&.{375D78F7-4C0B-4274-8295-CAB0A47FF9FB}.....@.....@.....@.....@.......@.....@.....@.......@......TechSmith Screen Capture Codec......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{A59CAEBA-B7C3-48C2-AE65-85D4DC564CDC}&.{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}.@......&.{A59CAEBA-B7C3-48C2-AE65-85D4DC564CDC}&.{00000000-0000-0000-0000-000000000000}.@......&.{44C43B1E-F6FC-438D-BBEB-2D84A0ECBA13}&.{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}.@......&.{44C43B1E-F6FC-438D-BBEB-2D84A0ECBA13}&.{00000000-0000-0000-0000-000000000000}.@......&.{EC86592A-78A5-41FA-8CEC-C872250D87E8}&.{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}.@......&.{672991AE-7DC7-4FE1-BC2F-C215115F0B29}&.{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}.@......&.{672991AE-7DC7-4FE1-BC2F-C

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):909312
                                                                                  Entropy (8bit):4.573066776407015
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:Dm8CVwWoloPd6fFyyHv3zt5gv5brF7fIrCv3EoloPd6fFyy:Dm8CvF6fFyyPjt5OFCYcF6fFyy
                                                                                  MD5:416A3E33F14AF7790CDBA88921E91B2B
                                                                                  SHA1:5050E39B1741E835B194C697A882F8B69F48A1D1
                                                                                  SHA-256:722B537B04AB6338007574FFA4C272A3A0F880383BDD5FE371859ED1B16A32E5
                                                                                  SHA-512:EAE4BE768B0F802189FFDB42A1C04F5B0E2676C8D28D624A1FFB15E80B01918DC88E74B7286CF403DC1EBAC4DA5CD2B52B7D91A933F0A2C766019779A313F5DB
                                                                                  Malicious:true
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].I.<|..<|..<|.z r..<|..#u..<|..#q..<|.Rich.<|.................PE..L....i-a.................`...........8.......p....@........................................................................dZ..(.......h_..................................................................0... ....................................text....T.......`.................. ..`.data....'...p.......p..............@....rsrc...h_.......`..................@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):140288
                                                                                  Entropy (8bit):6.137883567396153
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:VESIiWD8uq4hCqUt6mqD1gRshBgH/voqJrwo2CocrJbQN6N2TRqEydzXS0:VETz566VgRyOJ0oDxQRHf
                                                                                  MD5:D76F0EAB36F83A31D411AEAF70DA7396
                                                                                  SHA1:9BC145B54500FB6FBEA9BE61FBDD90F65FD1BC14
                                                                                  SHA-256:46F4FDB12C30742FF4607876D2F36CF432CDC7EC3D2C99097011448FC57E997C
                                                                                  SHA-512:9C22BC6B2E7DBCD344809085894B768CFA76E8512062C5BBF3CAEAA2771C6B7CE128BD5A0B6E385A5DA777D0D822A5B2191773CC0DDB05ABE1FA935FA853D79D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: setup (1).exe, Detection: malicious, Browse
                                                                                  • Filename: SSATv3_Setup-6-6-2008.exe, Detection: malicious, Browse
                                                                                  • Filename: NuDesign_MIBrowserBasic010_v10.2.0 (3).exe, Detection: malicious, Browse
                                                                                  • Filename: ITpipes 20154P.exe, Detection: malicious, Browse
                                                                                  • Filename: ITpipes 20154P.exe, Detection: malicious, Browse
                                                                                  • Filename: LCY_NewESD_Software.7z, Detection: malicious, Browse
                                                                                  • Filename: NetSetup.exe, Detection: malicious, Browse
                                                                                  • Filename: Setup(German).exe, Detection: malicious, Browse
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.6....!......#......................... ....z!.........................0......bS...............................s...............@...............................................................................................................text...L........................... ..`.data........0......................@....rsrc........@.......*..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\HAND-M.CUR (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:MS Windows cursor resource - 1 icon, 32x32, hotspot @5x0
                                                                                  Category:dropped
                                                                                  Size (bytes):326
                                                                                  Entropy (8bit):2.562870189547158
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Gl/4SglsUgiTqt/Fv/jwqRdaSAaPZPvnCCCrR:C4HsUg4YZaS/PZPc
                                                                                  MD5:36AF4BD3E963BB6D681C3E043C06F504
                                                                                  SHA1:7A1C7A8646F6E47F38DFDD3874CA90C05D52507C
                                                                                  SHA-256:87BFEF52971132FF30F7713898A8E729E6F54976EFF957E47507F14469455976
                                                                                  SHA-512:6A6A4780B82B5539C6ABAD1DBD94C562E0E67250639649ACBB2079963AF8E740A6FD02E5717B61D4B21C5C06D16055E2CB55C052281BE4FB706AB625CA8D21C8
                                                                                  Malicious:false
                                                                                  Preview:...... ......0.......(... ...@...................................................................................................................7...w...g....................................................................................................................................................?......................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):662288
                                                                                  Entropy (8bit):6.413670840194062
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:NbfIjagcfVS8jyvXMdXRZjhOgkpWXib26NS/KVL9yAP5eUD52v/pG:NbwjSEudhZkpWXib1NfVL9yUeUD58g
                                                                                  MD5:AE47A8A5FE8193BB84FFCD338115D8EF
                                                                                  SHA1:EDBE4B85F000880EBD68239EAB29FAC3D79F3113
                                                                                  SHA-256:160B0CEF5E9ED57C024E9B3A278E6456E849DAA85D46F2B6D1450BF19FCA72DD
                                                                                  SHA-512:9DFE5F65825F58E267092FAC0C7D359C7BC23EF5AD90F2ABB4614E88FDC6ADFDDFBF7DF29AABF519FB8238D5EFEC27EA1DDC386760D4D841C657226E850D7BC7
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.:@...........#.....L..........h........@....{'.................................&..............................@........<..........,.......................|^...;..................................................h............................text....K.......P.................. ..`.data....e...`...p...`..............@....rsrc...............................@....reloc..|^.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Video\How To Use Automatically Switch Between Applications At Certain Times Software - Reduced.avi (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:RIFF (little-endian) data, AVI, 1280 x 800, ~15 fps, video: FFMpeg MPEG-4
                                                                                  Category:dropped
                                                                                  Size (bytes):8509124
                                                                                  Entropy (8bit):7.746905546357579
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:5E4D6j8XR9SJtgrC05M1SYZU5llvml4YachRf7l+P86DZSIJx91lc+bQk2k7xlHW:5Efj8LWL0CVCl832JlaTY7TC5R
                                                                                  MD5:8F28AF6799F0AECE49002319D0EB9E03
                                                                                  SHA1:DC7284927D0C7C1241A488EF162D0B5288E145C2
                                                                                  SHA-256:4660FF983DD5F3078ADDD89B6D7267AD406CA82A8B6612E18A53E0C6FC7A1C6A
                                                                                  SHA-512:4BD1B5AB11EC86CD34E9EB39D8EFDFAF3FE7944082E078D2552E8D70A617926B8AEB266E032856900965524FCFA1D6F46FDAD27D4AF1F51678DD14783DE8931C
                                                                                  Malicious:false
                                                                                  Preview:RIFF...AVI LIST....hdrlavih8...j....a..........)................... ...................LIST....strlstrh8...vidsFMP4........................)..................... .strf(...(....... .......FMP4....................JUNK............00dc................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Video\is-7TN01.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:RIFF (little-endian) data, AVI, 1280 x 800, ~15 fps, video: FFMpeg MPEG-4
                                                                                  Category:dropped
                                                                                  Size (bytes):8509124
                                                                                  Entropy (8bit):7.746905546357579
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:5E4D6j8XR9SJtgrC05M1SYZU5llvml4YachRf7l+P86DZSIJx91lc+bQk2k7xlHW:5Efj8LWL0CVCl832JlaTY7TC5R
                                                                                  MD5:8F28AF6799F0AECE49002319D0EB9E03
                                                                                  SHA1:DC7284927D0C7C1241A488EF162D0B5288E145C2
                                                                                  SHA-256:4660FF983DD5F3078ADDD89B6D7267AD406CA82A8B6612E18A53E0C6FC7A1C6A
                                                                                  SHA-512:4BD1B5AB11EC86CD34E9EB39D8EFDFAF3FE7944082E078D2552E8D70A617926B8AEB266E032856900965524FCFA1D6F46FDAD27D4AF1F51678DD14783DE8931C
                                                                                  Malicious:false
                                                                                  Preview:RIFF...AVI LIST....hdrlavih8...j....a..........)................... ...................LIST....strlstrh8...vidsFMP4........................)..................... .strf(...(....... .......FMP4....................JUNK............00dc................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\drag.ico (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:MS Windows icon resource - 1 icon, -128x-128, 24 bits/pixel
                                                                                  Category:dropped
                                                                                  Size (bytes):51262
                                                                                  Entropy (8bit):0.2933379236155292
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:0rfGpj/q/+WxNTPUGxmWUmkesNSJ1BZHWP94tE7KpAHmjyyqhL6O+EnS:X6nEnS
                                                                                  MD5:B046E9DA51C5E8EA13ABECF59A66700F
                                                                                  SHA1:2869F20B595F821549779CBB0E6AE0A4C3D5C944
                                                                                  SHA-256:7861525A9CA4BA18D25C056C40DF0D7C87F3F82B1F8EEB03D45833EF1B0CF031
                                                                                  SHA-512:148964E72959FD1B4BDB6C471A20E39B5F4E58329F79CBC982A4164E1E3ADA476E5559BDEA63AF22E97777A1C90AFB00D5E18BB17378C9B26B26656CBC49A6B6
                                                                                  Malicious:false
                                                                                  Preview:..............(.......(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\icon256.gif (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:GIF image data, version 89a, 256 x 256
                                                                                  Category:dropped
                                                                                  Size (bytes):14137
                                                                                  Entropy (8bit):7.9519038483942195
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:xydBsjrLQ7q1tjYaVx2PV/ULlyMTCexnSggCn2y+Fa:1OqnGV/ULNTzSFCck
                                                                                  MD5:8BFD55A3586126EA5605AB0F20B5B2D8
                                                                                  SHA1:2D918DCE3FEC315CF535BD004F77C2B84B21DC33
                                                                                  SHA-256:BA860B8BAB87034AB6A4566AF3A9B544122D2640C8381F010DA0874B1DFFCB20
                                                                                  SHA-512:EC2BAFE96D8129B76F4CF18B6C2CA43780CFE52DB995B54D7AD8B563558D2AC3FA58887C8F179FF4F06B730AC4C5C3534C9A2D44EE8F6A5A038C88F917324AF3
                                                                                  Malicious:false
                                                                                  Preview:GIF89a.......-,+0.-00.222<97;;;>?A>@C?PpCCCAFNBHNLLLEKRLQWSSS[[[CSrT[dQ]uZclYfxa^\a_`c`]dddfgjhffjifkkkdmwkqwtqmsssrw|ty|xwvyxv{{{.w..{.^k.Vj.Gj.Hm.Kr.Po.Wr.Wv.an.hv.ix.u|.f|.b|.H........"..%..+..7..>..\..m..z..v..d..y..s..{..~..I..F..B..M..W..U.._..[..G..S..]..C..E..L..S..Z..]..`..`..a..m..d..f..y..w..g..z..s..r..x..m..z...~|..}........................................................................................................................................................................................................................................................................................................................................................................................................................!.......,...............H......*\....#J.H....3j.... C..I...(S.\...0c.I...8s...../]...J...H.*]...P....e..-_&a.y...`..K..P.].h.1.......K..].V..]........L.0R.y.....HN.N.x.;.jU/h-........&...4..6nZ.....

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-0CP1D.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1081616
                                                                                  Entropy (8bit):6.346871871902746
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:s0LiK1d6dxOehwsj5dC33M/jYVRDSfaF0gg1CVGO7oVtNKG:n6dAehwaY19G1u7+Ln
                                                                                  MD5:ECC7D7F0D3446DE36045D1D9E964FAFE
                                                                                  SHA1:DA6B0EC081D628C33B150327F3BD16D3B7FA4729
                                                                                  SHA-256:BC58D624CEEA02AB086F1CCE809C992BF5A7105E88931853317A2F5AA5AFD6E4
                                                                                  SHA-512:443DE697BE9886CD97235E6468F3A7F6BF11612711E54DBA31431B0D9418672E1434E839ED50CACF28107F692F0C9D9D2F57D90E3A843D81015D459C180DB632
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:@...........#.........n.......i.......p....X'.........................`......hA..............................pF......@........`...Z...........f..............@................................................................................text............................... ..`.data...Du..........................@....rsrc....\...`...`...`..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-FDRLL.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Code page: 1252, Title: Installation Database, Subject: TechSmith Screen Capture Codec 4.1.1.0, Author: TechSmith Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install TechSmith Screen Capture Codec., Template: Intel;1033, Revision Number: {375D78F7-4C0B-4274-8295-CAB0A47FF9FB}, Create Time/Date: Mon Dec 12 17:11:24 2016, Last Saved Time/Date: Mon Dec 12 17:11:24 2016, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):1126400
                                                                                  Entropy (8bit):6.005936514242825
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:DW20Ehw57o2FxDo5WX9khcIlRsKOhYqZvZGTuINpdCOW42So9at3XyA7gTJBI:DWQwhtrk5WXIfOhYivYTJjCryo9Ii8p
                                                                                  MD5:4AED7E99BB205047FF34E17789FEE270
                                                                                  SHA1:5D3156BCE5B2D99D29C97ED4BEE416E1FA33CEF5
                                                                                  SHA-256:BDFFF4F46C2299C4606B19243EFA267D99185AAF539D9E29BF9C98C229B3F6EB
                                                                                  SHA-512:C7964800C53A99CA702C724C5BAA14D8F4432FA4143496D3F65F4C2E5ACC8E0D45369B7D33553290990E1F5CF50139768774CDCA5B75D60A3AFD1B05E97D48EE
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-JJ543.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):140288
                                                                                  Entropy (8bit):6.137883567396153
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:VESIiWD8uq4hCqUt6mqD1gRshBgH/voqJrwo2CocrJbQN6N2TRqEydzXS0:VETz566VgRyOJ0oDxQRHf
                                                                                  MD5:D76F0EAB36F83A31D411AEAF70DA7396
                                                                                  SHA1:9BC145B54500FB6FBEA9BE61FBDD90F65FD1BC14
                                                                                  SHA-256:46F4FDB12C30742FF4607876D2F36CF432CDC7EC3D2C99097011448FC57E997C
                                                                                  SHA-512:9C22BC6B2E7DBCD344809085894B768CFA76E8512062C5BBF3CAEAA2771C6B7CE128BD5A0B6E385A5DA777D0D822A5B2191773CC0DDB05ABE1FA935FA853D79D
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.6....!......#......................... ....z!.........................0......bS...............................s...............@...............................................................................................................text...L........................... ..`.data........0......................@....rsrc........@.......*..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-K9UAS.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:MS Windows icon resource - 1 icon, -128x-128, 24 bits/pixel
                                                                                  Category:dropped
                                                                                  Size (bytes):51262
                                                                                  Entropy (8bit):0.2933379236155292
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:0rfGpj/q/+WxNTPUGxmWUmkesNSJ1BZHWP94tE7KpAHmjyyqhL6O+EnS:X6nEnS
                                                                                  MD5:B046E9DA51C5E8EA13ABECF59A66700F
                                                                                  SHA1:2869F20B595F821549779CBB0E6AE0A4C3D5C944
                                                                                  SHA-256:7861525A9CA4BA18D25C056C40DF0D7C87F3F82B1F8EEB03D45833EF1B0CF031
                                                                                  SHA-512:148964E72959FD1B4BDB6C471A20E39B5F4E58329F79CBC982A4164E1E3ADA476E5559BDEA63AF22E97777A1C90AFB00D5E18BB17378C9B26B26656CBC49A6B6
                                                                                  Malicious:false
                                                                                  Preview:..............(.......(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-MD00T.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):730789
                                                                                  Entropy (8bit):6.52475077667875
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:/qIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPuFyxyRR:CIZg+uiirPO37fzH4A6haDbcUZEbdT9i
                                                                                  MD5:67FAA9E1BB9FC5F3725E049B0F217CDE
                                                                                  SHA1:E93B82B3DD5A5F0EB1E015171CA244FA3AFFF039
                                                                                  SHA-256:C65C34CD9F06FF3DE17F5BA95FD646BE1869E7C66FFF0182CF7C1822DDD89E6D
                                                                                  SHA-512:123BFF461EFD65A86D8867AA5021BBD87C7ED09560CB6F92BBFCB26398D22339CD4366AA63531779D56BE83A7B8B6CEFA78570A88BC3BC7E195ECCE324F2E938
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@.......................................@......@..............................2&...........................................................@......................................................CODE....p........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.. ....P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-N12AD.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):909312
                                                                                  Entropy (8bit):4.573066776407015
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:Dm8CVwWoloPd6fFyyHv3zt5gv5brF7fIrCv3EoloPd6fFyy:Dm8CvF6fFyyPjt5OFCYcF6fFyy
                                                                                  MD5:416A3E33F14AF7790CDBA88921E91B2B
                                                                                  SHA1:5050E39B1741E835B194C697A882F8B69F48A1D1
                                                                                  SHA-256:722B537B04AB6338007574FFA4C272A3A0F880383BDD5FE371859ED1B16A32E5
                                                                                  SHA-512:EAE4BE768B0F802189FFDB42A1C04F5B0E2676C8D28D624A1FFB15E80B01918DC88E74B7286CF403DC1EBAC4DA5CD2B52B7D91A933F0A2C766019779A313F5DB
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].I.<|..<|..<|.z r..<|..#u..<|..#q..<|.Rich.<|.................PE..L....i-a.................`...........8.......p....@........................................................................dZ..(.......h_..................................................................0... ....................................text....T.......`.................. ..`.data....'...p.......p..............@....rsrc...h_.......`..................@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-NDUG5.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):662288
                                                                                  Entropy (8bit):6.413670840194062
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:NbfIjagcfVS8jyvXMdXRZjhOgkpWXib26NS/KVL9yAP5eUD52v/pG:NbwjSEudhZkpWXib1NfVL9yUeUD58g
                                                                                  MD5:AE47A8A5FE8193BB84FFCD338115D8EF
                                                                                  SHA1:EDBE4B85F000880EBD68239EAB29FAC3D79F3113
                                                                                  SHA-256:160B0CEF5E9ED57C024E9B3A278E6456E849DAA85D46F2B6D1450BF19FCA72DD
                                                                                  SHA-512:9DFE5F65825F58E267092FAC0C7D359C7BC23EF5AD90F2ABB4614E88FDC6ADFDDFBF7DF29AABF519FB8238D5EFEC27EA1DDC386760D4D841C657226E850D7BC7
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.:@...........#.....L..........h........@....{'.................................&..............................@........<..........,.......................|^...;..................................................h............................text....K.......P.................. ..`.data....e...`...p...`..............@....rsrc...............................@....reloc..|^.......`..................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-VBQQ9.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:MS Windows cursor resource - 1 icon, 32x32, hotspot @5x0
                                                                                  Category:dropped
                                                                                  Size (bytes):326
                                                                                  Entropy (8bit):2.562870189547158
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:Gl/4SglsUgiTqt/Fv/jwqRdaSAaPZPvnCCCrR:C4HsUg4YZaS/PZPc
                                                                                  MD5:36AF4BD3E963BB6D681C3E043C06F504
                                                                                  SHA1:7A1C7A8646F6E47F38DFDD3874CA90C05D52507C
                                                                                  SHA-256:87BFEF52971132FF30F7713898A8E729E6F54976EFF957E47507F14469455976
                                                                                  SHA-512:6A6A4780B82B5539C6ABAD1DBD94C562E0E67250639649ACBB2079963AF8E740A6FD02E5717B61D4B21C5C06D16055E2CB55C052281BE4FB706AB625CA8D21C8
                                                                                  Malicious:false
                                                                                  Preview:...... ......0.......(... ...@...................................................................................................................7...w...g....................................................................................................................................................?......................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\is-VTB76.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:GIF image data, version 89a, 256 x 256
                                                                                  Category:dropped
                                                                                  Size (bytes):14137
                                                                                  Entropy (8bit):7.9519038483942195
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:xydBsjrLQ7q1tjYaVx2PV/ULlyMTCexnSggCn2y+Fa:1OqnGV/ULNTzSFCck
                                                                                  MD5:8BFD55A3586126EA5605AB0F20B5B2D8
                                                                                  SHA1:2D918DCE3FEC315CF535BD004F77C2B84B21DC33
                                                                                  SHA-256:BA860B8BAB87034AB6A4566AF3A9B544122D2640C8381F010DA0874B1DFFCB20
                                                                                  SHA-512:EC2BAFE96D8129B76F4CF18B6C2CA43780CFE52DB995B54D7AD8B563558D2AC3FA58887C8F179FF4F06B730AC4C5C3534C9A2D44EE8F6A5A038C88F917324AF3
                                                                                  Malicious:false
                                                                                  Preview:GIF89a.......-,+0.-00.222<97;;;>?A>@C?PpCCCAFNBHNLLLEKRLQWSSS[[[CSrT[dQ]uZclYfxa^\a_`c`]dddfgjhffjifkkkdmwkqwtqmsssrw|ty|xwvyxv{{{.w..{.^k.Vj.Gj.Hm.Kr.Po.Wr.Wv.an.hv.ix.u|.f|.b|.H........"..%..+..7..>..\..m..z..v..d..y..s..{..~..I..F..B..M..W..U.._..[..G..S..]..C..E..L..S..Z..]..`..`..a..m..d..f..y..w..g..z..s..r..x..m..z...~|..}........................................................................................................................................................................................................................................................................................................................................................................................................................!.......,...............H......*\....#J.H....3j.... C..I...(S.\...0c.I...8s...../]...J...H.*]...P....e..-_&a.y...`..K..P.].h.1.......K..].V..]........L.0R.y.....HN.N.x.;.jU/h-........&...4..6nZ.....

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1081616
                                                                                  Entropy (8bit):6.346871871902746
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:s0LiK1d6dxOehwsj5dC33M/jYVRDSfaF0gg1CVGO7oVtNKG:n6dAehwaY19G1u7+Ln
                                                                                  MD5:ECC7D7F0D3446DE36045D1D9E964FAFE
                                                                                  SHA1:DA6B0EC081D628C33B150327F3BD16D3B7FA4729
                                                                                  SHA-256:BC58D624CEEA02AB086F1CCE809C992BF5A7105E88931853317A2F5AA5AFD6E4
                                                                                  SHA-512:443DE697BE9886CD97235E6468F3A7F6BF11612711E54DBA31431B0D9418672E1434E839ED50CACF28107F692F0C9D9D2F57D90E3A843D81015D459C180DB632
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:@...........#.........n.......i.......p....X'.........................`......hA..............................pF......@........`...Z...........f..............@................................................................................text............................... ..`.data...Du..........................@....rsrc....\...`...`...`..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\tscc.msi (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Code page: 1252, Title: Installation Database, Subject: TechSmith Screen Capture Codec 4.1.1.0, Author: TechSmith Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install TechSmith Screen Capture Codec., Template: Intel;1033, Revision Number: {375D78F7-4C0B-4274-8295-CAB0A47FF9FB}, Create Time/Date: Mon Dec 12 17:11:24 2016, Last Saved Time/Date: Mon Dec 12 17:11:24 2016, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):1126400
                                                                                  Entropy (8bit):6.005936514242825
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:DW20Ehw57o2FxDo5WX9khcIlRsKOhYqZvZGTuINpdCOW42So9at3XyA7gTJBI:DWQwhtrk5WXIfOhYivYTJjCryo9Ii8p
                                                                                  MD5:4AED7E99BB205047FF34E17789FEE270
                                                                                  SHA1:5D3156BCE5B2D99D29C97ED4BEE416E1FA33CEF5
                                                                                  SHA-256:BDFFF4F46C2299C4606B19243EFA267D99185AAF539D9E29BF9C98C229B3F6EB
                                                                                  SHA-512:C7964800C53A99CA702C724C5BAA14D8F4432FA4143496D3F65F4C2E5ACC8E0D45369B7D33553290990E1F5CF50139768774CDCA5B75D60A3AFD1B05E97D48EE
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\unins000.dat

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:InnoSetup Log Automatically Switch Between Applications At Certain Times Software, version 0x30, 4650 bytes, 818225\user, "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software"
                                                                                  Category:modified
                                                                                  Size (bytes):4650
                                                                                  Entropy (8bit):4.9724763363324636
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:LLIPUQSI14cVSQs0LnL/f1K0NJq0c1cXPSNSfUSffSpSJgSJZVvjbBcS:LLIchIKcVSQ1nL/f1K0NJq0c1cX68flP
                                                                                  MD5:612CFBE60975E736260AA8FDB003F696
                                                                                  SHA1:641DF88950539C5CC598593F4A1F5A59C7AEE850
                                                                                  SHA-256:6CD5FE622FBB769237B4E942BBAF01FA3F0E6ACF6AA11C91AB73A9F787393E42
                                                                                  SHA-512:164822EA6E76C9CFFAE912AED31C1E0C29E0D4FA9281E85D15341183B486FC4513BDD05FBC2D4F195641FD6890BC98C8EC90D87040FF01BECB07ABFE470EE189
                                                                                  Malicious:false
                                                                                  Preview:Inno Setup Uninstall Log (b)....................................Automatically Switch Between Applications At Certain Times Software.............................................................Automatically Switch Between Applications At Certain Times Software.............................................................0.......*...%...........................................................................................................................F.......~....818225.userZC:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software...........-.:.... .....y....IFPS.............................................................................................................BOOLEAN......................!MAIN....-1..FILEEXISTS....... ................................ZC:\Program Files (x86)\Automatically Switch Between Applications At Certain Times SoftwarexC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Automatically Switch Between Applications A

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\unins000.exe (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):730789
                                                                                  Entropy (8bit):6.52475077667875
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:/qIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPuFyxyRR:CIZg+uiirPO37fzH4A6haDbcUZEbdT9i
                                                                                  MD5:67FAA9E1BB9FC5F3725E049B0F217CDE
                                                                                  SHA1:E93B82B3DD5A5F0EB1E015171CA244FA3AFFF039
                                                                                  SHA-256:C65C34CD9F06FF3DE17F5BA95FD646BE1869E7C66FFF0182CF7C1822DDD89E6D
                                                                                  SHA-512:123BFF461EFD65A86D8867AA5021BBD87C7ED09560CB6F92BBFCB26398D22339CD4366AA63531779D56BE83A7B8B6CEFA78570A88BC3BC7E195ECCE324F2E938
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                  Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@.......................................@......@..............................2&...........................................................@......................................................CODE....p........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.. ....P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-4C6IM.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1779632
                                                                                  Entropy (8bit):6.360499449474474
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:l1FVJ77Sr00N2tq0/FyQ/iiKW3ITAgdwBWKYJ1qLbXVLlcFruE6gy:lLFxFPAxTSlBgrppy
                                                                                  MD5:CE01A4DBA630802C3B57F5C383F0C418
                                                                                  SHA1:1A6C2F58A0870D3DDE64EEC668404A328C135FDC
                                                                                  SHA-256:0C9E0D800C941AC780C77F105B3CD5641AEED56E40AEF1C6E0E26B607A7A899C
                                                                                  SHA-512:479DEFBB1B7B2B7B389D7DC70C0B902414925243FA55C62EFBA8EF019459C54074D81DDE183F91DC2410A52AFBA29FB5BABF43A3585E5CC57016EC133DAA1EFB
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........1:]._i]._i]._i..Ti_._i..LiE._i]._il._i?.LiS._i2.Ti^._i.QiX._i2.UiY._i2.[i_._ik.[i^._i].^i.._ik.Ui@._ik.Ti"._i..Yi\._i..[i\._iRich]._i........................PE..L....)0I...........!.........................................................@......................................`=...............0...E......................0W...................................................................................text...^........................... ..`.rdata..............................@..@.data........@.......@..............@....rsrc....E...0...P..................@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-7F9SI.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):559024
                                                                                  Entropy (8bit):6.424114969829696
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:DLZSoPM352YYfcGtFx6DHTxvu7BiZ3w43i:XZSt524Gt7oTM7Eg43i
                                                                                  MD5:F5DC31C9F74358C3121EB3B55BC301DD
                                                                                  SHA1:752444E4C78BB1C7E9A3DE0B5694E67BDEB25D7C
                                                                                  SHA-256:B3D054482D112E595C19A8D10D71D231217B0CA5C209DB51E8114F55EA2DE8A0
                                                                                  SHA-512:B9D114E5DA392DB735F1BA63088412C00EC722CA52D4C47F7076B3BB70D58CE394471B703CA77C8C31C7B635804A44060560CD22002C8AAC55C121DFC6BED0C0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,.).M.z.M.z.M.z.o.z.M.z.R.z.M.z.M.z.M.z.R.z.M.z.R.z.M.zAQ.z.M.z.R.z.M.z.R.z.M.z.k.z.M.z.M.zcN.z.k.z.M.z.k.z.M.z.K.z.M.z=m.z.M.zRich.M.z................PE..L....*0I...........!.................a......................................................................................h........`..x............p...........^......................................................,............................text............................... ..`.rdata..J".......0..................@..@.data....{.......`..................@....rsrc...x....`.......@..............@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\is-AVEPL.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):541816
                                                                                  Entropy (8bit):6.6843102241673416
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:JDN/5k4u34yKisgR4Jfi12XPbbPzNq3dEAPc71j53dEG:xk4u3HJ4qNEh5NEG
                                                                                  MD5:663CE82C52435D68E20910F6A7252725
                                                                                  SHA1:EF6719DB6EC6209DD832D0A336DDCCEF87343A4D
                                                                                  SHA-256:B097CC6DB98C456381B1C2F5E4827DDE3480C2F0E9561CAE81D33D5EFD8104ED
                                                                                  SHA-512:86BE243024E0C055D13516C8568090F3FC5347FD0D6764BE8C64F08C753C1F3CC4DB00AF5C2746E97C74E2F01292B5BCC855A2B94B8CB95CACFD53DD66B28FA0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 5.A[..A[..A[.hG]..A[.Rich.A[.................PE..L......H...........!.........&...............................................P..........................................................#...........(..x....@.......................................................................................rsrc....#.......$..................@..@.reloc.......@.......&..............@..B.........................9..0....9..................................*...ZK......XI......zK..(....I..@....I..X....T..p...\T.......I......~H.......H.......I.......K.......K......0K..0...tN..H....N..`....I..x....J.......J.......J......zO.......O......DO.......N.. ....K..8...JN..P...BJ..h...rJ.......L.......L.......Q.......H.......S.......S......tS..(....R..@...FS..X....T..p....S.......R.......M......"N......`P......2P.......P.......O..0....O..H....K..`....M..x...PM.......M.......L......ZL......

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\o.cjs (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):541816
                                                                                  Entropy (8bit):6.6843102241673416
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:JDN/5k4u34yKisgR4Jfi12XPbbPzNq3dEAPc71j53dEG:xk4u3HJ4qNEh5NEG
                                                                                  MD5:663CE82C52435D68E20910F6A7252725
                                                                                  SHA1:EF6719DB6EC6209DD832D0A336DDCCEF87343A4D
                                                                                  SHA-256:B097CC6DB98C456381B1C2F5E4827DDE3480C2F0E9561CAE81D33D5EFD8104ED
                                                                                  SHA-512:86BE243024E0C055D13516C8568090F3FC5347FD0D6764BE8C64F08C753C1F3CC4DB00AF5C2746E97C74E2F01292B5BCC855A2B94B8CB95CACFD53DD66B28FA0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 5.A[..A[..A[.hG]..A[.Rich.A[.................PE..L......H...........!.........&...............................................P..........................................................#...........(..x....@.......................................................................................rsrc....#.......$..................@..@.reloc.......@.......&..............@..B.........................9..0....9..................................*...ZK......XI......zK..(....I..@....I..X....T..p...\T.......I......~H.......H.......I.......K.......K......0K..0...tN..H....N..`....I..x....J.......J.......J......zO.......O......DO.......N.. ....K..8...JN..P...BJ..h...rJ.......L.......L.......Q.......H.......S.......S......tS..(....R..@...FS..X....T..p....S.......R.......M......"N......`P......2P.......P.......O..0....O..H....K..`....M..x...PM.......M.......L......ZL......

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):1779632
                                                                                  Entropy (8bit):6.360499449474474
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:l1FVJ77Sr00N2tq0/FyQ/iiKW3ITAgdwBWKYJ1qLbXVLlcFruE6gy:lLFxFPAxTSlBgrppy
                                                                                  MD5:CE01A4DBA630802C3B57F5C383F0C418
                                                                                  SHA1:1A6C2F58A0870D3DDE64EEC668404A328C135FDC
                                                                                  SHA-256:0C9E0D800C941AC780C77F105B3CD5641AEED56E40AEF1C6E0E26B607A7A899C
                                                                                  SHA-512:479DEFBB1B7B2B7B389D7DC70C0B902414925243FA55C62EFBA8EF019459C54074D81DDE183F91DC2410A52AFBA29FB5BABF43A3585E5CC57016EC133DAA1EFB
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........1:]._i]._i]._i..Ti_._i..LiE._i]._il._i?.LiS._i2.Ti^._i.QiX._i2.UiY._i2.[i_._ik.[i^._i].^i.._ik.Ui@._ik.Ti"._i..Yi\._i..[i\._iRich]._i........................PE..L....)0I...........!.........................................................@......................................`=...............0...E......................0W...................................................................................text...^........................... ..`.rdata..............................@..@.data........@.......@..............@....rsrc....E...0...P..................@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

                                                                                  C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx (copy)

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):559024
                                                                                  Entropy (8bit):6.424114969829696
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:DLZSoPM352YYfcGtFx6DHTxvu7BiZ3w43i:XZSt524Gt7oTM7Eg43i
                                                                                  MD5:F5DC31C9F74358C3121EB3B55BC301DD
                                                                                  SHA1:752444E4C78BB1C7E9A3DE0B5694E67BDEB25D7C
                                                                                  SHA-256:B3D054482D112E595C19A8D10D71D231217B0CA5C209DB51E8114F55EA2DE8A0
                                                                                  SHA-512:B9D114E5DA392DB735F1BA63088412C00EC722CA52D4C47F7076B3BB70D58CE394471B703CA77C8C31C7B635804A44060560CD22002C8AAC55C121DFC6BED0C0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,.).M.z.M.z.M.z.o.z.M.z.R.z.M.z.M.z.M.z.R.z.M.z.R.z.M.zAQ.z.M.z.R.z.M.z.R.z.M.z.k.z.M.z.M.zcN.z.k.z.M.z.k.z.M.z.K.z.M.z=m.z.M.zRich.M.z................PE..L....*0I...........!.................a......................................................................................h........`..x............p...........^......................................................,............................text............................... ..`.rdata..J".......0..................@..@.data....{.......`..................@....rsrc...x....`.......@..............@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.lnk

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 16:45:58 2024, mtime=Mon Dec 2 16:45:58 2024, atime=Sat Jul 31 11:29:36 2021, length=909312, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1806
                                                                                  Entropy (8bit):4.475849156107027
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:8mzRSdO4sBFr7Q4kFr71i3f1dFFr7fFr7odFFr7g/9GMJWMJmyg:8mL5Nk5MfN5D5050/9Glry
                                                                                  MD5:DA52DC67C618571CDF204B37F4B2DE40
                                                                                  SHA1:1DB319870DB25AF3E0D403A09642C767999A7558
                                                                                  SHA-256:A0C79272DE2E0DD275C7A55E9ED7891D88A2DA3540556C98DEB011E882EA7DDC
                                                                                  SHA-512:321A41055EF24BD655A2D278A9CBECDCED90AAA4BE29A815D762388EC833D335BCAF27244C1B321CE95DD7689A27B832A6D2AA4ED81007F757758E648C8DD7F9
                                                                                  Malicious:false
                                                                                  Preview:L..................F.... ....{...D...@...D......c...........................s....P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2.........O.I.Y......................V.....s...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......1......Y....AUTOMA~1.........Y...Y............................kN..A.u.t.o.m.a.t.i.c.a.l.l.y. .S.w.i.t.c.h. .B.e.t.w.e.e.n. .A.p.p.l.i.c.a.t.i.o.n.s. .A.t. .C.e.r.t.a.i.n. .T.i.m.e.s. .S.o.f.t.w.a.r.e.......2......S.c .AUTOMA~1.EXE.........Y...Y......?.........................A.u.t.o.m.a.t.i.c.a.l.l.y. .S.w.i.t.c.h. .B.e.t.w.e.e.n. .A.p.p.l.i.c.a.t.i.o.n.s. .A.t. .C.e.r.t.a.i.n. .T.i.m.e.s. .S.o.f.t.w.a.r.e...e.x.e.......................-....................Nb......C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe........\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.

                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Automatically Switch Between Applications At Certain Times Software\Uninstall Automatically Switch Between Applications At Certain Times Software.lnk

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 16:45:58 2024, mtime=Mon Dec 2 16:45:58 2024, atime=Mon Dec 2 16:45:47 2024, length=730789, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1511
                                                                                  Entropy (8bit):4.5649391612711865
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8mgmuWEbdOEJslTFr+EQEhWANlhHdFFr+EjhxdFFr+Eg/oUUAzFJxJUwqygm:8mXuJbdO4sBFr7QEhNN3HdFFr7jndFFZ
                                                                                  MD5:109D382139602417C0CD9B26049EBAD2
                                                                                  SHA1:18AE25CC634BC60A7228574066CFEFAC209735D0
                                                                                  SHA-256:C97FAED6377041189504FBA11178972FBF4D6BF2DA52317E59031783761E7C77
                                                                                  SHA-512:1E9453029D27DCFC2DD9F811CFA9488FEAFB50DE4D53C7B41B6A5832945FD02C10986E21E95731DE4662FE751E769C5706C9FDA31C4B59FCDCFCFB1805B8A6C6
                                                                                  Malicious:false
                                                                                  Preview:L..................F.... ...e....D..e....D..P.7..D...&...........................P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2.........O.I.Y......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......1......Y....AUTOMA~1.........Y...Y............................kN..A.u.t.o.m.a.t.i.c.a.l.l.y. .S.w.i.t.c.h. .B.e.t.w.e.e.n. .A.p.p.l.i.c.a.t.i.o.n.s. .A.t. .C.e.r.t.a.i.n. .T.i.m.e.s. .S.o.f.t.w.a.r.e.....f.2..&...Y.. .unins000.exe..J......Y...Y......*......................f..u.n.i.n.s.0.0.0...e.x.e.......................-....................Nb......C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\unins000.exe..v.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.m.a.t.i.c.a.l.l.y. .S.w.i.t.c.h. .B.e.t.w.e.e.n. .A.p.p.l.i.c.a.t.i.o.n.s. .A.t. .C.e.r.t.a.i.n. .T.i.m.e.s. .S.o.f.t.w.a.r.e.\.u.n.i.n.s.0.0.0...e.x.e.Z.C.:.\.P.r.o.g.r.a.m. .F

                                                                                  C:\Users\Public\Desktop\Automatically Switch Between Applications At Certain Times Software.lnk

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Dec 2 16:45:58 2024, mtime=Mon Dec 2 16:45:59 2024, atime=Sat Jul 31 11:29:36 2021, length=909312, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1788
                                                                                  Entropy (8bit):4.482915047283665
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:8mSJbdO4sBFr7Q4kFr71i3f4dFFr7fFr7odFFr7g/9GMJWMJmyg:8mF5Nk5MfI5D5050/9Glry
                                                                                  MD5:543EBB0E8EF153E5640D214210FAC3AB
                                                                                  SHA1:43975B3745C775DF8B9F0B7CD8F6CB9167D87237
                                                                                  SHA-256:939ADF3D1F4BCC1AC652495669CC6436E136C4D35E5F4EBD2CEA502E4635A691
                                                                                  SHA-512:8AD47308C76E24C24D1D1180B5C70B293C852A33C1F14A627DFE82838A1E9B8680D8459FCF04EB933C173BC2EB774F8A4CE7E95D7D92ED5B783BB3C70243D97D
                                                                                  Malicious:false
                                                                                  Preview:L..................F.... ....{...D....F..D......c...........................s....P.O. .:i.....+00.../C:\.....................1......Y....PROGRA~2.........O.I.Y......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.......1......Y....AUTOMA~1.........Y...Y............................kN..A.u.t.o.m.a.t.i.c.a.l.l.y. .S.w.i.t.c.h. .B.e.t.w.e.e.n. .A.p.p.l.i.c.a.t.i.o.n.s. .A.t. .C.e.r.t.a.i.n. .T.i.m.e.s. .S.o.f.t.w.a.r.e.......2......S.c .AUTOMA~1.EXE.........Y...Y......?.........................A.u.t.o.m.a.t.i.c.a.l.l.y. .S.w.i.t.c.h. .B.e.t.w.e.e.n. .A.p.p.l.i.c.a.t.i.o.n.s. .A.t. .C.e.r.t.a.i.n. .T.i.m.e.s. .S.o.f.t.w.a.r.e...e.x.e.......................-....................Nb......C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe........\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.m.a.t.i.c.a.l.l.y.

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\INetCache\JQHRI69B\configuration[1].xml

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):1520
                                                                                  Entropy (8bit):5.0183726539703795
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:2dzI4+uTOBzpoD2h9f0lM702X9bh9q02Xiwqh9U02XiSbh9Uydq2X4h9Uy72Xyh2:cK88z2D2ff97DtbfqDtqfUD9bfUywBfW
                                                                                  MD5:E72FC6D9DAF66E2D8BC9FE37BE8CE4D8
                                                                                  SHA1:667F95190910D5841E4531330001423CBB8E2030
                                                                                  SHA-256:B5CCAFA927AF87CEA7E85A2D197C2E841E557B87900665C12FA6F8059B8B9356
                                                                                  SHA-512:5D56979DBDB586601570DB6AEE666EA1DF489F3EB25285DEDC4A216834955E590158058D6B0C23D084C6C059AD91CF7B7FC32436E572693A96527F3D6E14160C
                                                                                  Malicious:false
                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<clientConfiguration xmlns="http://schemas.microsoft.com/XblWinClient/2012/03" version="1">.. <targetedClient>XblWinClient</targetedClient > .. <rights>Copyright (c) Microsoft Corporation. All rights reserved.</rights>.. <configuration name="Playback" minBuild="16122.1018">.. <property name="UseAdaptiveMediaSourcePercent" value="50" type="int32"/>.. <property name="UseDashContentForMBRSourcePercent" value="100" type="int32"/>.. </configuration>.. <configuration name="Playback" minBuild="16122.1018" maxBuild="17032.1033">.. <property name="UseDashContentForMBRSourcePercentBeforeRS2" value="0" type="int32"/>.. </configuration>.. <configuration name="Playback" minBuild="17032.1034">.. <property name="UseDashContentForMBRSourcePercentBeforeRS2" value="100" type="int32"/>.. </configuration>.. <configuration name="Groveler" minBuild="17063.0" maxBuild="17082.9999">..

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):4770
                                                                                  Entropy (8bit):7.946747821604857
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                                                                                  MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                                                                                  SHA1:719C37C320F518AC168C86723724891950911CEA
                                                                                  SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                                                                                  SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                                                                                  Malicious:false
                                                                                  Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):338
                                                                                  Entropy (8bit):3.2760409958454813
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:kkFkl1mvfllXlE/0htlnf16pFRltB+SliQlP8F+RlTRe86A+iRlERMta9b3+AL0V:kKfsN+SkQlPlEGYRMY9z+s3Ql2DUevat
                                                                                  MD5:97EF48EB45B16735D1375932B487D46F
                                                                                  SHA1:8CD8CEA560952E0529BC9146DE1AAEECFD5FE347
                                                                                  SHA-256:BE2EFD8305C637A1EFB103EFCB7F49B55B0A1A21A6EBF91DBCCF7050C1584B4D
                                                                                  SHA-512:72DD0073FF06D886BD4E97D7AF64A44031548DDB9A36102D2E72825EA1CABCF0CFB0D52B5B05ACA83007D10641A3C0B01BE409FC57866804BF0C164AF86A5F19
                                                                                  Malicious:false
                                                                                  Preview:p...... ........_}N..D..(....................................................... .........p.........$.....(=........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\Cache\msprcore.bla

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:RAGE Package Format (RPF),
                                                                                  Category:dropped
                                                                                  Size (bytes):5113
                                                                                  Entropy (8bit):6.0781779006405285
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:rm+OE4Cy034BNMYVUXiksiGAshzcEeIZY/v3QZMhMKUVeQ:rm+OEyc8LQifiDk0Q
                                                                                  MD5:022AF45906963407A08CDF33925B349F
                                                                                  SHA1:36A0AA688E9BEE6BB39EEB1B8F2AFD5E756024E3
                                                                                  SHA-256:8F5E674BD98459A4F954B8C3440A44EC728AB9B0A461DD775C0C8A1747F26E24
                                                                                  SHA-512:2AF01294BEE83B0B747823D79F5304CCE209E28D608279CE86D1383293D4197AE5CA758F2A894DB719020B5402355F1D7D9E3F6ABD23631F9853339C7CA84778
                                                                                  Malicious:false
                                                                                  Preview:PRKF...................................,..........kF..........).%w.<..../".........|.......@.....K...f{c..2d#...c-g..........t."h.i.~....L..+/K.}.c%/6L..,t.... ....#.#.k..j..\.[..P.^d`.H....p........<.....H.j5.,.....SLh..EW..~.R._.`...........................................@.D.w..c..........:..,.A...4.$..........&..._u...9...*.u...#m........... G...;M..s...1...z..'.o0.w.i.%.*1.I....~.e...................@...=..W.w.V}I........+.....fP7...e..9..........EG.....m.............. .N.p..(jZ.K..752z.S.SD{_6.... ..-F..q....M...................@.....K...f{c..2d#...c-g..........t."h.i.~....L..+/K.}.c%...........A....I..Y......F.C....8F....9......b.....PK..;..%d....;V...:.Y...b..R.F..%A5J"4...........P.......@CHAI.......@........CERT...................Xm......lW.[}.O.\............_..*E.Y....C.fW.....U.@....<..................................(...<........................................................=..W.w.V}I........+.....fP7...e..9..........EG.....

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalCache\PlayReady\mspr.hds

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):528384
                                                                                  Entropy (8bit):0.012995060249977089
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:22aI3m7Z5WomPtV0wfDXECEe7Z5g4bcv8jvfx+7Z51hn0:22aI3m95hwJflt95eCHx+95/n0
                                                                                  MD5:00F6954E9BF30FC2B8822765C9035615
                                                                                  SHA1:3E9E30DF3F727EB1AA58B89CC8D51948510F1A1A
                                                                                  SHA-256:08B92A8EC8920DDCF6B8E669F0120B3E294BE3365D027596F349AE0B057A156C
                                                                                  SHA-512:D59161EF63A8B6D707AD08EC4B1C833BB1FF669D88361403E1B0F9F5CA0D5DE178F63E8DA98C66012F2AAE746788523022E5A7FAADAA692E739D09B07B60974B
                                                                                  Malicious:false
                                                                                  Preview:........A.s..%-.i...0............<...D..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x7700824b, page size 8192, DirtyShutdown, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):3670016
                                                                                  Entropy (8bit):0.2214832384541091
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:fSh2yKY8km/nbqgTC0/k63bBu7fhWxvM6JSh2eKY8ksyDFqfOVgTC0/k63bBu7fV:f6tLgw6J6hL16o
                                                                                  MD5:ABA2F67858BE2A032D9F505AE3DB2F39
                                                                                  SHA1:5F7D89DD63DBF62CEA3A42A2CA7F82CA1AC6C076
                                                                                  SHA-256:D7E8ADD176D520EF246453BA2813925E1733B6DEA14D5BDC2F0FDA1C2F356ABF
                                                                                  SHA-512:D355F01C9AA595A9D18C8A6DC2F6BF429D8CBB480E2D012AD7577E6DC7D036E01B97FB0A13F15D656C7A8BA8395C31AE4080DA87CA1111BB39298D255B4BAA87
                                                                                  Malicious:false
                                                                                  Preview:w..K... .......-........>.+.....|M..........................................|e.h............................Y.......|..........................................................................................................eJ........... ...................................................................................................... ............|...................................................................................................................................................................................................|...................................B.......|....................OX.....|..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.04720722854363082
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:98lliUepQll/tllL0EQSlHYll:q/iUH/1j0f0I
                                                                                  MD5:1A31A580493D6499DB4387019CDA4366
                                                                                  SHA1:86CE98B8D190C7679E75C1E264A32F910C289741
                                                                                  SHA-256:4F135D50040E66C097B52037D7ECBDA93F2C97AEF7FF09B29E8E72B27CB11175
                                                                                  SHA-512:27E6EF6AB76BE664F659DFF9DC017472AE12C5CC161E77B78DCE652AC2E6BB108595CE385716FA25E6A06CD742D2FB8B2F9909E15D3DCA5F8918746AFBB87AAA
                                                                                  Malicious:false
                                                                                  Preview:h..(.........................................|.......|.......................|........../'n......|e...................OX.....|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:OpenPGP Public Key
                                                                                  Category:dropped
                                                                                  Size (bytes):8192
                                                                                  Entropy (8bit):0.6340527302734059
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:vtZYdZUI1+uJ1sdZUI1+uJ1AQelBsLtZYdZUI1+uJ1sdZUI1+uJ1AQelBs:v7YbUO/sbUO/A27YbUO/sbUO/A
                                                                                  MD5:6EC0225D4F80276B443DB9F99E35918F
                                                                                  SHA1:8436B31CD107938082C6C914E5DDCE8E2F3E916D
                                                                                  SHA-256:60E05608FA32B4D78D01ACCF6D657C49B2D8812C81483F36DAA4546303DFC93E
                                                                                  SHA-512:AC803AC4CF5837013372385715BE2637E871C9C56B7197B8440EC28A4456C3E11675FA67D0B09A1AC688FB8A4C4486236DD83121C46C47F4D7EF3978C13D9CBF
                                                                                  Malicious:false
                                                                                  Preview:..:.................Y.......|..................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\...........................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\............................................................................................................................................................0u..,.....................5w.................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.6847294588935346
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:RoGkR1dJEBmHlNDul5uaca+ciywzWQOXsjBiN+82fO4kF6Es15e8AZ5yeh0G32fi:RoGkR/Dt9O1xFJT0QgtaRmk
                                                                                  MD5:55105D9F6999A94B6AF4EC95C408B9EB
                                                                                  SHA1:E1FE8F56569F099BD2B74EB9F11F3C7D5C67504C
                                                                                  SHA-256:3EA7B8F391C661EC09915B2BCDF1E386B872752961633139B464ECED7E7564A1
                                                                                  SHA-512:ECA236A0D0EA19E70FB2DEAF0633C7E15E6CE617FFCD77654AB3D75A41E3F4B1A62A7AB14C53AA234FA56E67EF55D5D46E37408B872A88580250EA314D84E58C
                                                                                  Malicious:false
                                                                                  Preview:"Md............ .....|.......................Y.......|..................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\...........................................................................................................................................................C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\............................................................................................................................................................0u..,.....................5w.......................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:B2D1236C286A3C0704224FE4105ECA49
                                                                                  SHA1:7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
                                                                                  SHA-256:5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
                                                                                  SHA-512:731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:B2D1236C286A3C0704224FE4105ECA49
                                                                                  SHA1:7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
                                                                                  SHA-256:5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
                                                                                  SHA-512:731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):2097152
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:B2D1236C286A3C0704224FE4105ECA49
                                                                                  SHA1:7D76D48D64D7AC5411D714A4BB83F37E3E5B8DF6
                                                                                  SHA-256:5647F05EC18958947D32874EEB788FA396A05D0BAB7C1B71F112CEB7E9B31EEE
                                                                                  SHA-512:731859029215873FDAC1C9F2F8BD25A334ABF0F3A9E1B057CF2CACC2826D86B0C26A3FA920A936421401C0471F38857CB53BA905489EA46B185209FDFF65B3B6
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xd4293693, page size 8192, JustCreated, Windows version 0.0
                                                                                  Category:dropped
                                                                                  Size (bytes):262144
                                                                                  Entropy (8bit):0.024054499618031164
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:rVi0O/CdVi0O/C2YRXfadAsAlBsRb8lBQBQnoAw8clNzV4RGqzTLkrvu+R3upq:JA6AzYRSdjJTByXUNzVkNzTLsuu3uU
                                                                                  MD5:A73251A27F62121B6091D21BB6D3F5F9
                                                                                  SHA1:47A4D60F4F7C2F5878A80298C755D3F317F4A795
                                                                                  SHA-256:0B6F9652F130283F8E28987448258F33FD6D640651106DBC77757BA097B1DB38
                                                                                  SHA-512:6CB974CC39CAD9980F9459F2E6B21B182C23266416B9EF3EA3BE99225BFFB1C1F386F0658C5211334D8370E6EDA472B319974B6F59919F35035D1E19C22BB7D2
                                                                                  Malicious:false
                                                                                  Preview:.)6.... .......@.......=].j.....|A.......................................................................................................................................................................................................... ...................................................................................................... ....................................................................................................................................................................................................................................................T.......|A.....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):264
                                                                                  Entropy (8bit):4.8451960158093605
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:e28IqUHeE7PnC8vPNhy5mOU9nCEGmNrDnb:eCznv3OU4FsrDnb
                                                                                  MD5:F3E40B3529306BA6B50F98A20DB1343C
                                                                                  SHA1:CC3321F12AC01E05FEBC879C3915EC11EBEE6EBE
                                                                                  SHA-256:5831CFEE1FFC0DFD59AE99C84A95B44E1B77D968649C7219714808FEFEA2AEB8
                                                                                  SHA-512:4860A124976C7703B4E1516FC5F1F9CAF21902C14F1D01146803C9C24881DE038006D55420FF3EDA4B0DC3228538D128F2E4B86C35ECE023855073C3BF3FE992
                                                                                  Malicious:false
                                                                                  Preview:<SRPData version="1" sessionId="1"><Outcomes><Outcome id="videoCompleted" timesOccurred="0" /></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="2" monthOfLastLaunch="12" yearOfLastLaunch="2024" userHasAccepted="false" timesPolled="0"/></SRPData>

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\LocalState\SRPData.xml.~tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:ASCII text, with no line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):264
                                                                                  Entropy (8bit):4.8451960158093605
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:e28IqUHeE7PnC8vPNhy5mOU9nCEGmNrDnb:eCznv3OU4FsrDnb
                                                                                  MD5:F3E40B3529306BA6B50F98A20DB1343C
                                                                                  SHA1:CC3321F12AC01E05FEBC879C3915EC11EBEE6EBE
                                                                                  SHA-256:5831CFEE1FFC0DFD59AE99C84A95B44E1B77D968649C7219714808FEFEA2AEB8
                                                                                  SHA-512:4860A124976C7703B4E1516FC5F1F9CAF21902C14F1D01146803C9C24881DE038006D55420FF3EDA4B0DC3228538D128F2E4B86C35ECE023855073C3BF3FE992
                                                                                  Malicious:false
                                                                                  Preview:<SRPData version="1" sessionId="1"><Outcomes><Outcome id="videoCompleted" timesOccurred="0" /></Outcomes><Threshold launches="1" daysLaunched="1" dayOfLastLaunch="2" monthOfLastLaunch="12" yearOfLastLaunch="2024" userHasAccepted="false" timesPolled="0"/></SRPData>

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):1.8964038066251323
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:DJWqx2NDD65da/FB+ZLPKrfgxczH06R8oRnB6wf:VWqEf65dtPK1yoxB6
                                                                                  MD5:B2C55CF085344C1A395512E4A664FD74
                                                                                  SHA1:781A48E0A799293C756F3691AF9E25062849D9AE
                                                                                  SHA-256:C1A0DE752AEFE9851EFA4EB748A52B2CB7E68F441D2CB69974813F55BBBC48A4
                                                                                  SHA-512:56367A06D9E82D649C4DE6659E166D1CEBC93C98DDB5F23AB176A34DB420D054235315B5C7E93FD3F9192ECF39A7EF5FF3F5D5716910AA3D76E277AAD68B8505
                                                                                  Malicious:false
                                                                                  Preview:regf........b.Q.7.................. .... ......y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm..L..D..............................................................................................................................................................................................................................................................................................................................................[...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Packages\Microsoft.ZuneVideo_8wekyb3d8bbwe\Settings\settings.dat.LOG1

                                                                                  Download File
                                                                                  Process:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                  Category:dropped
                                                                                  Size (bytes):12288
                                                                                  Entropy (8bit):2.426303601850156
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:YJ9qx2NDD65da/FB+ZLPKrfgxczH06R8oRnB6wf:89qEf65dtPK1yoxB6
                                                                                  MD5:A2B3F5045750620090E3CF4BFD8E9C33
                                                                                  SHA1:0BBF05094E7A7ABFD749D5261D7BA02D17C41FC6
                                                                                  SHA-256:A8EA58EEFA433FF374A2C53CD932C796A0F9F94C9AFD28243433F642B977F938
                                                                                  SHA-512:0A22D7CB0683DE83BCF6C02CE9AA3AC96C7B7958324E2BCFB1DB172A9B7C495546515002A846DC48A412BD2F6119022F990211BCFB17A03438CBC11DFC7B5AEC
                                                                                  Malicious:false
                                                                                  Preview:regf........b.Q.7.................. .... ......y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm..L..D..............................................................................................................................................................................................................................................................................................................................................\...HvLE............. ........J{._..%....i..... ..hbin................b.Q.7..........nk,.T...7..................................x...............................Test....p...sk..h...h.......t.......H...X.............4.........?.......................?....................... ... ...............YQ..fr]%dc;.............nk .v.r..D..................(...............h...............................Configuration...p...sk..x...x.......t.......H...X.............4.........?.......................

                                                                                  C:\Users\user\AppData\Local\Temp\is-DEHM1.tmp\_isetup\_setup64.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):6144
                                                                                  Entropy (8bit):4.720366600008286
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                  MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                  SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                  SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                  SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\setup.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:modified
                                                                                  Size (bytes):719360
                                                                                  Entropy (8bit):6.516657933329927
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:XqIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPuFyxyR:aIZg+uiirPO37fzH4A6haDbcUZEbdT9+
                                                                                  MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09
                                                                                  SHA1:BAF330B5C249CA925B4EA19A52FE8B2C27E547FA
                                                                                  SHA-256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C
                                                                                  SHA-512:3A448F06862C6D163FD58B68B836D866AE513E04A69774ABF5A0C5B7DF74F5B9EE37240083760185618C5068BF93E7FD812E76B3E530639111FB1D74F4D28419
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................,.............@.......................................@......@..............................2&...........................................................@......................................................CODE....p........................... ..`DATA....D...........................@...BSS......................................idata..2&.......(..................@....tls.........0...........................rdata.......@......................@..P.reloc.. ....P......................@..P.rsrc...............................@..P....................................@..P........................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\~DFD403875C4111A3FE.TMP

                                                                                  Download File
                                                                                  Process:C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):360448
                                                                                  Entropy (8bit):3.9496065034466206
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:zyGgwcY+/Rh3hpRxoPns8Kg6fFyy6qjYRERi+EFw4ogDUS8:1oloPd6fFyyHv3z
                                                                                  MD5:2FD8E17C68CCCA2570421D8B7487D0FB
                                                                                  SHA1:211D031840DCA0AF912C0F16D012A71CC12C7B03
                                                                                  SHA-256:88AA40C0E8E57970939E42DDBCE2E6DC40C634C1BA55CEBD91D11900F0A3C136
                                                                                  SHA-512:3FC94653515B930DF0D208CF23FF362D49D0A1A17915D4FCC8EB730B98BF6475A83718CF039FC15B7926F8FFE9C4A9BB93BF2FF394CD122F6432C5773EC144A4
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\67244c.msi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Code page: 1252, Title: Installation Database, Subject: TechSmith Screen Capture Codec 4.1.1.0, Author: TechSmith Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install TechSmith Screen Capture Codec., Template: Intel;1033, Revision Number: {375D78F7-4C0B-4274-8295-CAB0A47FF9FB}, Create Time/Date: Mon Dec 12 17:11:24 2016, Last Saved Time/Date: Mon Dec 12 17:11:24 2016, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):1126400
                                                                                  Entropy (8bit):6.005936514242825
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:DW20Ehw57o2FxDo5WX9khcIlRsKOhYqZvZGTuINpdCOW42So9at3XyA7gTJBI:DWQwhtrk5WXIfOhYivYTJjCryo9Ii8p
                                                                                  MD5:4AED7E99BB205047FF34E17789FEE270
                                                                                  SHA1:5D3156BCE5B2D99D29C97ED4BEE416E1FA33CEF5
                                                                                  SHA-256:BDFFF4F46C2299C4606B19243EFA267D99185AAF539D9E29BF9C98C229B3F6EB
                                                                                  SHA-512:C7964800C53A99CA702C724C5BAA14D8F4432FA4143496D3F65F4C2E5ACC8E0D45369B7D33553290990E1F5CF50139768774CDCA5B75D60A3AFD1B05E97D48EE
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\67244f.msi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Code page: 1252, Title: Installation Database, Subject: TechSmith Screen Capture Codec 4.1.1.0, Author: TechSmith Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install TechSmith Screen Capture Codec., Template: Intel;1033, Revision Number: {375D78F7-4C0B-4274-8295-CAB0A47FF9FB}, Create Time/Date: Mon Dec 12 17:11:24 2016, Last Saved Time/Date: Mon Dec 12 17:11:24 2016, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2
                                                                                  Category:dropped
                                                                                  Size (bytes):1126400
                                                                                  Entropy (8bit):6.005936514242825
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:DW20Ehw57o2FxDo5WX9khcIlRsKOhYqZvZGTuINpdCOW42So9at3XyA7gTJBI:DWQwhtrk5WXIfOhYivYTJjCryo9Ii8p
                                                                                  MD5:4AED7E99BB205047FF34E17789FEE270
                                                                                  SHA1:5D3156BCE5B2D99D29C97ED4BEE416E1FA33CEF5
                                                                                  SHA-256:BDFFF4F46C2299C4606B19243EFA267D99185AAF539D9E29BF9C98C229B3F6EB
                                                                                  SHA-512:C7964800C53A99CA702C724C5BAA14D8F4432FA4143496D3F65F4C2E5ACC8E0D45369B7D33553290990E1F5CF50139768774CDCA5B75D60A3AFD1B05E97D48EE
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\MSI25C3.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):3812
                                                                                  Entropy (8bit):5.670604971887015
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:zYasqRHs2dg7kub5J8VJxjd5nwnqtpeTEsw9YKfQEPL/isure:zYCDg7nexPEspeSVYWL/ure
                                                                                  MD5:D6A0F7DFA112A2FB7DB16B7CE7A42672
                                                                                  SHA1:00F9BC852634A904504D9AACBDE0545AEC6FFFA9
                                                                                  SHA-256:777F65AC1CF859735E43E6C1CB517711CD077DE34FC6E2AEF6D5E35F9BEA4BC5
                                                                                  SHA-512:517F924B7C0A39E601210CFC57012E5EB1C04ABCABF39FD7A8B92DCEAA1C0D9848B44B8DD0C868B2230676DF7FE7BCBAB275FEB38F241CFA9602739062F2616D
                                                                                  Malicious:false
                                                                                  Preview:...@IXOS.@.....@.e.Y.@.....@.....@.....@.....@.....@......&.{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}..TechSmith Screen Capture Codec..tscc.msi.@.....@.....@.....@........&.{375D78F7-4C0B-4274-8295-CAB0A47FF9FB}.....@.....@.....@.....@.......@.....@.....@.......@......TechSmith Screen Capture Codec......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{7CB1AF61-3956-4F67-8719-470A0176F192}&.{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}..&.{7CB1AF61-3956-4F67-8719-470A0176F192}...@.....@.......@.....@.....@.]....&.{A59CAEBA-B7C3-48C2-AE65-85D4DC564CDC}..C:\Windows\SysWOW64\tsccvid.dll.@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@......&.{44C43B1E-F6FC-438D-BBEB-2D84A0ECBA13}!.C:\Windows\SysWOW64\tsccvid64.dll.@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@......&.{EC86592A-78A5

                                                                                  C:\Windows\Installer\SourceHash{84FE50F5-B0F3-4D18-8BE8-A4DEEE0C37AD}

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.1623323691556475
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:JSbX72Fj5AGiLIlHVRpzh/7777777777777777777777777vDHF/w+IH1p01l0i5:JjQI53pgw8F
                                                                                  MD5:76C4B57A987758802F9B4A21CED9DB96
                                                                                  SHA1:7EFC09CACC4654552880815813A123F4B2FD7233
                                                                                  SHA-256:BFC7C3206999383A7876638C3797296A40123BEDC6711ED4EFDF80C4778990DF
                                                                                  SHA-512:BA1136F41D5E7AC978650D1BBA0C089FC8CFE4F9BFEE493D08977EA66CBD8DB024CDF08A9B804B234C1DD80FE47DC424B4E4D067BA967967DE392B8EEF80FF86
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.438845791870971
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:z8PhDuRc06WXz4jT5HdFFr7RTNS59OiSIr83uK:ahD19jTh59RQ7ke
                                                                                  MD5:B9D64026DAF4AB42101E721A61BC29EE
                                                                                  SHA1:E25F5A480146CBCC9974413830E9D78815CD37D6
                                                                                  SHA-256:CDF4980DE887293249FFC5352704124BD255C7665C5D6145112E99739CCA9B73
                                                                                  SHA-512:3FBB11E1E3C4AD6D128A376159BC94355170229E5B38E522311E9772B36C34215A8EE2F89F91E6CBB425CA59EE253004E8D7FDA852FCEFF6EBCBCA4B0F3C7182
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):360001
                                                                                  Entropy (8bit):5.362970808062057
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaup:zTtbmkExhMJCIpEM
                                                                                  MD5:79B855C74E6E8D1BB8917B37E3528AC9
                                                                                  SHA1:0C236B1D327E97D5D20EA8484F42907179EE34A6
                                                                                  SHA-256:A04546C33180FDAECF997B837A58C31FE55B59391ECF58E1F42D8FADBCCDA2C2
                                                                                  SHA-512:05F4727207A20AFDE74302D0C9234F59138A475CF739B06F550B051836F779D0BC42D0EF33CA81B06D9E20C68C11FC84C121DA340E079B769C4187FDC33940F8
                                                                                  Malicious:false
                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                  C:\Windows\SysWOW64\tsccvid.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):854016
                                                                                  Entropy (8bit):6.228179487515137
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:EtENe+WShShShShSRBnanInwHHGJ156REj0TynDdkl+f3e2TBGhxhNhNhNhnt:KEPaIwHHGZyh2TBoDHHHn
                                                                                  MD5:6EE215930216D085AF3F7C5BFCD83F57
                                                                                  SHA1:163ED62F4AAA1A81641A61D16F9C1477E9ACB7FB
                                                                                  SHA-256:85D059C56A2D74BD56629D3AB212C4DC9F3CF21491B2B55233B0F2D07F8B6967
                                                                                  SHA-512:F54D6704339EBF6E32B179877E104F7CEC7C1E0749183EAAC01EA555FEF0CF6732DEB7D5D0E77106A2FD5D4A06D6CC7C549CB6420E32E197A8A5B6BE1E8608E3
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........l...?...?...?0t"?...?0t ?...?0t!?...?..>...?..>...?..>...?V..>...?...?...?...?...?..?...?Y..?...?...?...?V..>...?V..>...?V.,?...?..D?...?V..>...?Rich...?........................PE..L.....NX...........!.........^...............................................`............@.............................W.......d............................ .../..`~..8............................~..@............................................text............................... ..`.rdata..............................@..@.data....$..........................@....idata..............................@..@.gfids..............................@..@.00cfg..............................@..@.rsrc...............................@..@.reloc..\8... ...:..................@..B........................................................................................................................

                                                                                  C:\Windows\SysWOW64\tsccvid64.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):964608
                                                                                  Entropy (8bit):6.006126498633475
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:uP0c2yei24yzflwFl2e520qxlTmCHHDD:udqxlTHHHDD
                                                                                  MD5:FB514B6BB5230403730FC98AF2561D16
                                                                                  SHA1:BAEEF7466A2BAA79E20BB9C26C792E2FA94733CD
                                                                                  SHA-256:93C6288B4AF090CB769A9535C16C47230F5AE7AF741A2D2567057769CA4C4DC5
                                                                                  SHA-512:65C5818F017DCC031FECEA137D130323EDCCA63885948108F5E0905218203BD7B9F7E41B2DEA1F5ADBD3B3D32C2770CB4B7BDF26B78AD27BD9D01E077C1D21EE
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......................ME......ME.....ME...........................+......................$&/............+.......+.......+.........s.....+.......Rich....................PE..d...'.NX.........." .................;.......................................0............`.............................................Z.......d............P...P..............,....v..8............................v...............................................text...>........................... ..`RT_CODE............................. ..`.rdata...%.......&..................@..@.data....8..........................@....pdata...Y...P...Z..................@..@.idata...............n..............@..@.gfids..............................@..@.00cfg..............................@..@.rsrc...............................@..@.reloc..J...........................@..B........................................

                                                                                  C:\Windows\Temp\~DF13330F1747C83675.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.160989933765952
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:qibuIrh8FXzbT5pdFFr7RTNS59OiSIr83uK:RbklTf59RQ7ke
                                                                                  MD5:2528D0110205F29C887B9BB74BC8AD6D
                                                                                  SHA1:F5F8A8C1616879D128409E516AF184CCB027574E
                                                                                  SHA-256:22031B172A2E7F4E4AC3AE964658B2AB942D3D97B2700F22FA07428F80827C33
                                                                                  SHA-512:E64917C0B4C6517D549851195007862A354C9AF8EB44B61580325E5AD1AEBFC6E050AC0466BD9B712A7D359ED18148C0ECCBE4D64EBECC75199AEBDCE8061F5B
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF15DB7D5AC8504349.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF45688BA41880E58D.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF45CFBB4A99899948.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.160989933765952
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:qibuIrh8FXzbT5pdFFr7RTNS59OiSIr83uK:RbklTf59RQ7ke
                                                                                  MD5:2528D0110205F29C887B9BB74BC8AD6D
                                                                                  SHA1:F5F8A8C1616879D128409E516AF184CCB027574E
                                                                                  SHA-256:22031B172A2E7F4E4AC3AE964658B2AB942D3D97B2700F22FA07428F80827C33
                                                                                  SHA-512:E64917C0B4C6517D549851195007862A354C9AF8EB44B61580325E5AD1AEBFC6E050AC0466BD9B712A7D359ED18148C0ECCBE4D64EBECC75199AEBDCE8061F5B
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF46BC03141D98F8D3.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.06866838201560514
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO/g9+IHOtoVky6l0t/:2F0i8n0itFzDHF/w+IH801
                                                                                  MD5:F3B24B6A691A37B6CE6435754A00CC87
                                                                                  SHA1:A78A8E3802D793802386B10C13076CA1AD99F1EF
                                                                                  SHA-256:94573DFA792BAE8D346608A48ECD1D412FB6C70F3D2A3145FCF7FB816E614193
                                                                                  SHA-512:84CD346D396F143F5CC20A835270C93C9016E3F3C2A63871C20C2B39AADD02D50A7749874A2F6B0E404E92F4A122F30BDA538E3B151027A2589212615EF32738
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF58A731275141466C.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.438845791870971
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:z8PhDuRc06WXz4jT5HdFFr7RTNS59OiSIr83uK:ahD19jTh59RQ7ke
                                                                                  MD5:B9D64026DAF4AB42101E721A61BC29EE
                                                                                  SHA1:E25F5A480146CBCC9974413830E9D78815CD37D6
                                                                                  SHA-256:CDF4980DE887293249FFC5352704124BD255C7665C5D6145112E99739CCA9B73
                                                                                  SHA-512:3FBB11E1E3C4AD6D128A376159BC94355170229E5B38E522311E9772B36C34215A8EE2F89F91E6CBB425CA59EE253004E8D7FDA852FCEFF6EBCBCA4B0F3C7182
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF6B5F440AF576EF45.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF923D137D9BB8631A.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.438845791870971
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:z8PhDuRc06WXz4jT5HdFFr7RTNS59OiSIr83uK:ahD19jTh59RQ7ke
                                                                                  MD5:B9D64026DAF4AB42101E721A61BC29EE
                                                                                  SHA1:E25F5A480146CBCC9974413830E9D78815CD37D6
                                                                                  SHA-256:CDF4980DE887293249FFC5352704124BD255C7665C5D6145112E99739CCA9B73
                                                                                  SHA-512:3FBB11E1E3C4AD6D128A376159BC94355170229E5B38E522311E9772B36C34215A8EE2F89F91E6CBB425CA59EE253004E8D7FDA852FCEFF6EBCBCA4B0F3C7182
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFAF94D75EBAFA863E.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFC5969E8E6CDF32FE.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFE3DCF0A871DA9BB6.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.160989933765952
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:qibuIrh8FXzbT5pdFFr7RTNS59OiSIr83uK:RbklTf59RQ7ke
                                                                                  MD5:2528D0110205F29C887B9BB74BC8AD6D
                                                                                  SHA1:F5F8A8C1616879D128409E516AF184CCB027574E
                                                                                  SHA-256:22031B172A2E7F4E4AC3AE964658B2AB942D3D97B2700F22FA07428F80827C33
                                                                                  SHA-512:E64917C0B4C6517D549851195007862A354C9AF8EB44B61580325E5AD1AEBFC6E050AC0466BD9B712A7D359ED18148C0ECCBE4D64EBECC75199AEBDCE8061F5B
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFFE7A122C01C13298.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):69632
                                                                                  Entropy (8bit):0.09395621727023885
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:YdAKLzmEJfAeb+ipVvipV7V3+bpG6ZkIp+idFFr+E:YK6mEr+S9S59O5pNdFFr7
                                                                                  MD5:1B9905541927A4CFA3C9930571689F2B
                                                                                  SHA1:4575257B91BC200F647B6AE7B1F1972CD472DFEF
                                                                                  SHA-256:58EA5BB50A5E90CE4A713177BA686576250853DD053B8256E2838D464BCDA27F
                                                                                  SHA-512:D28DB68B270AC0E41AC518B64242401B633C888A028385349676BBBD295B8151B2824061D7DC923B3FE824F56E8390123B4A11164F3B08C29B74C57DB5343E7B
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.998768522794033
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                  • Inno Setup installer (109748/4) 1.08%
                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  File name:setup.exe
                                                                                  File size:5'061'675 bytes
                                                                                  MD5:7186a29ce1fa3f48a7d318e0b4768575
                                                                                  SHA1:73290e5070f43fdaabc6373056e6aeace4d449ea
                                                                                  SHA256:c5df6e91a9211a4240084381e885b6195b0391009c3a5554106d8d0fb852d406
                                                                                  SHA512:f51fc0c2a4916c3e8cdc42054ecce5f026cb49ea939c48e0699462aeff070f49237a12ad213adb435b889ede74230cd6d44087dc45319f4d72f5c8f52ddc51d9
                                                                                  SSDEEP:98304:ZlpHu3lN2Z+hb1oFj6seR8NrCP5tj6RRTMsam/fxs+rVa2e0xnQ1X:PlaCdva8NuRtj6RapWfxs+rheDB
                                                                                  TLSH:11363304D602E4FDD6666AF48B2D5F758C2B3E7E247865883B514E137B04FA09E02BDB
                                                                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                  File Icon

                                                                                  Icon Hash:2d2e3797b32b2b99

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x40aad0
                                                                                  Entrypoint Section:CODE
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:1
                                                                                  OS Version Minor:0
                                                                                  File Version Major:1
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:1
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:2fb819a19fe4dee5c03e8c6a79342f79

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  push ebp
                                                                                  mov ebp, esp
                                                                                  add esp, FFFFFFC4h
                                                                                  push ebx
                                                                                  push esi
                                                                                  push edi
                                                                                  xor eax, eax
                                                                                  mov dword ptr [ebp-10h], eax
                                                                                  mov dword ptr [ebp-24h], eax
                                                                                  call 00007F8EF0C42FDBh
                                                                                  call 00007F8EF0C441E2h
                                                                                  call 00007F8EF0C44549h
                                                                                  call 00007F8EF0C4499Ch
                                                                                  call 00007F8EF0C4693Bh
                                                                                  call 00007F8EF0C492D2h
                                                                                  call 00007F8EF0C49439h
                                                                                  xor eax, eax
                                                                                  push ebp
                                                                                  push 0040B1A1h
                                                                                  push dword ptr fs:[eax]
                                                                                  mov dword ptr fs:[eax], esp
                                                                                  xor edx, edx
                                                                                  push ebp
                                                                                  push 0040B16Ah
                                                                                  push dword ptr fs:[edx]
                                                                                  mov dword ptr fs:[edx], esp
                                                                                  mov eax, dword ptr [0040D014h]
                                                                                  call 00007F8EF0C49F0Bh
                                                                                  call 00007F8EF0C49AF6h
                                                                                  cmp byte ptr [0040C234h], 00000000h
                                                                                  je 00007F8EF0C4A9EEh
                                                                                  call 00007F8EF0C4A008h
                                                                                  xor eax, eax
                                                                                  call 00007F8EF0C43CD1h
                                                                                  lea edx, dword ptr [ebp-10h]
                                                                                  xor eax, eax
                                                                                  call 00007F8EF0C46F4Bh
                                                                                  mov edx, dword ptr [ebp-10h]
                                                                                  mov eax, 0040DE30h
                                                                                  call 00007F8EF0C43072h
                                                                                  push 00000002h
                                                                                  push 00000000h
                                                                                  push 00000001h
                                                                                  mov ecx, dword ptr [0040DE30h]
                                                                                  mov dl, 01h
                                                                                  mov eax, 00407840h
                                                                                  call 00007F8EF0C47806h
                                                                                  mov dword ptr [0040DE34h], eax
                                                                                  xor edx, edx
                                                                                  push ebp
                                                                                  push 0040B122h
                                                                                  push dword ptr fs:[edx]
                                                                                  mov dword ptr fs:[edx], esp
                                                                                  call 00007F8EF0C49F66h
                                                                                  mov dword ptr [0040DE3Ch], eax
                                                                                  mov eax, dword ptr [0040DE3Ch]
                                                                                  cmp dword ptr [eax+0Ch], 00000000h

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe0000x97c.idata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x2c00.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x100000x18.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  CODE0x10000xa2080xa40049513e676dadfb3919c4b137dd7c6d66False0.5959413109756098data6.6016742350943245IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  DATA0xc0000x2500x4000a7b48e75f6b6ef4a087528fee0d185cFalse0.30859375data2.771347682604831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  BSS0xd0000xe940x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .idata0xe0000x97c0xa00df5f31e62e05c787fd29eed7071bf556False0.41796875data4.486076246232586IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .tls0xf0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rdata0x100000x180x20014dfa4128117e7f94fe2f8d7dea374a0False0.05078125data0.190488766434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x110000x9200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x120000x2c000x2c00918d62afc56a8726fb34ae1b9aee0a59False0.33451704545454547data4.597618056289522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0x123540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                  RT_ICON0x1247c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                  RT_ICON0x129e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                  RT_ICON0x12ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                  RT_STRING0x135740x2f2data0.35543766578249336
                                                                                  RT_STRING0x138680x30cdata0.3871794871794872
                                                                                  RT_STRING0x13b740x2cedata0.42618384401114207
                                                                                  RT_STRING0x13e440x68data0.75
                                                                                  RT_STRING0x13eac0xb4data0.6277777777777778
                                                                                  RT_STRING0x13f600xaedata0.5344827586206896
                                                                                  RT_RCDATA0x140100x2cdata1.1590909090909092
                                                                                  RT_GROUP_ICON0x1403c0x3edataEnglishUnited States0.8387096774193549
                                                                                  RT_VERSION0x1407c0x4f4dataEnglishUnited States0.2894321766561514
                                                                                  RT_MANIFEST0x145700x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                  Imports

                                                                                  DLLImport
                                                                                  kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                  user32.dllMessageBoxA
                                                                                  oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                  advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                  kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetUserDefaultLangID, GetSystemInfo, GetSystemDirectoryA, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                  user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                  comctl32.dllInitCommonControls
                                                                                  advapi32.dllAdjustTokenPrivileges

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  DutchNetherlands
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 2, 2024 18:45:58.014036894 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:45:58.014077902 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:45:58.014178991 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:45:58.014728069 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:45:58.014740944 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:45:59.872847080 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:45:59.872991085 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:45:59.899224997 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:45:59.899245024 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:45:59.899512053 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:45:59.921066046 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:45:59.967330933 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.375647068 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.375678062 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.375694036 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.375766993 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.375790119 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.375843048 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.574812889 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.574841022 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.575006962 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.575036049 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.575368881 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.621056080 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.621078968 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.621198893 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.621215105 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.623919010 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.761756897 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.761784077 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.761904955 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.761931896 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.763757944 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.799371004 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.799386978 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.799493074 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.799499989 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.799544096 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.821480989 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.821508884 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.821595907 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.821602106 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.821640015 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.843344927 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.843362093 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.843476057 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.843482018 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.843543053 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.968373060 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.968394995 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.968455076 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.968463898 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.968518019 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.989784956 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.989799023 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.989862919 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:00.989869118 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:00.989984035 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.001838923 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.001852989 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.001924992 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.001929998 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.002055883 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.013725042 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.013739109 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.013788939 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.013794899 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.013827085 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.013847113 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.024833918 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.024847984 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.024920940 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.024926901 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.025186062 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.026523113 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.026561975 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.026705027 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.029318094 CET49699443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.029328108 CET4434969913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.081558943 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.081592083 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.081690073 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.082803011 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.082817078 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.083560944 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.083570004 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.083585024 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.083607912 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.084188938 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.084194899 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.084351063 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.084362984 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.084373951 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.084465027 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.084470987 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.085720062 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.085748911 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.085789919 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.085846901 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.085853100 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.085942984 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.085949898 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:01.086654902 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:01.086669922 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.823303938 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.824973106 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.825001001 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.825686932 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.825691938 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.830588102 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.830924988 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.830944061 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.831552029 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.831557035 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.871007919 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.871325016 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.871344090 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.871771097 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.871776104 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.874516010 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.874829054 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.874835968 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.875221014 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.875225067 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.939146042 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.944749117 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.944768906 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:02.945440054 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:02.945445061 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.264236927 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.264266968 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.264337063 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.264364004 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.264403105 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.267278910 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.267350912 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.267417908 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.270541906 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.270610094 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.270670891 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.271502018 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.271521091 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.271529913 CET49700443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.271534920 CET4434970013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.272094965 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.272114038 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.272147894 CET49704443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.272155046 CET4434970413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.279274940 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.279310942 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.279386997 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.279992104 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.280009031 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.293396950 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.293427944 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.293483019 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.293680906 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.293695927 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.322717905 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.322786093 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.323007107 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.323369980 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.323389053 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.323401928 CET49701443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.323407888 CET4434970113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.326230049 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.326266050 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.326333046 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.326981068 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.326991081 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.328156948 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.328181982 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.328232050 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.328238964 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.328269005 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.328386068 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.328391075 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.328399897 CET49703443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.328403950 CET4434970313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.332519054 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.332567930 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.332745075 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.333120108 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.333129883 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.400295019 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.400320053 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.400466919 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.400490046 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.400770903 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.400819063 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.416631937 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.416644096 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.416687012 CET49702443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.416692019 CET4434970213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.423856020 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.423877001 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:03.424177885 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.424738884 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:03.424747944 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.010766029 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.012461901 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.012474060 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.012979984 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.012984037 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.077264071 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.092392921 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.092407942 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.093286037 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.093292952 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.140907049 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.142201900 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.142226934 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.142925024 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.142930984 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.318958044 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.319498062 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.319509983 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.320199013 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.320204020 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.324280977 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.324742079 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.324752092 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.325340033 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.325344086 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.557245970 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.557308912 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.557363987 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.557648897 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.557667017 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.557681084 CET49705443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.557686090 CET4434970513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.558445930 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.558495045 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.558613062 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.558788061 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.558788061 CET49708443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.558795929 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.558804989 CET4434970813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.561394930 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.561424017 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.561470985 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.561494112 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.561505079 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.561559916 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.561839104 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.561846018 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.561846972 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.561868906 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.664694071 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.664773941 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.664866924 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.665107012 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.665107012 CET49706443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.665127993 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.665138006 CET4434970613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.668831110 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.668862104 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.669049978 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.669408083 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.669420004 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.894766092 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.894871950 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.894927025 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.895184994 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.895198107 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.895225048 CET49707443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.895229101 CET4434970713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.898233891 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.898268938 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.898575068 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.899045944 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.899065971 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.947629929 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.947705984 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.947849989 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.949491024 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.949500084 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.949512959 CET49709443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.949517012 CET4434970913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.953027010 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.953041077 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:05.953121901 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.953336954 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:05.953345060 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.316839933 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.369338036 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.380641937 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.422615051 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.424288034 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.443551064 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.443564892 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.444176912 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.444190025 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.462651968 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.462670088 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.466593027 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.466600895 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.468240976 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.468255997 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.469079018 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.469084978 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.650842905 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.651417017 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.651429892 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.651967049 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.651973009 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.717924118 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.718518972 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.718539000 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.719082117 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.719086885 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.761343002 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.761507988 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.761567116 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.779664040 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.779684067 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.779696941 CET49713443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.779704094 CET4434971313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.784383059 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.784409046 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.784480095 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.784699917 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.784710884 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.825932980 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.826080084 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.826174021 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.826261044 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.826275110 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.826297998 CET49712443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.826301098 CET4434971213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.829766989 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.829817057 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.829899073 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.830121040 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.830137968 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.865231037 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.865320921 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.865478992 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.865624905 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.865648031 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.865712881 CET49714443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.865719080 CET4434971413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.869693995 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.869719982 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:07.869791031 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.870115995 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:07.870124102 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.088635921 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.088697910 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.088745117 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.089023113 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.089046001 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.089066029 CET49715443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.089072943 CET4434971513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.092155933 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.092197895 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.092264891 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.092416048 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.092431068 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.156333923 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.156410933 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.156470060 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.157382011 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.157399893 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.157413960 CET49716443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.157418966 CET4434971613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.164076090 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.164105892 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:08.164166927 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.164520025 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:08.164527893 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.577258110 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.599065065 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.604337931 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.620044947 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.620059013 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.620727062 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.620733023 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.625844002 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.625884056 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.626250982 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.626256943 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.626884937 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.626915932 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.627422094 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.627428055 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.916929007 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.929039955 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.929069996 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.929495096 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.929501057 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.939800024 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.940246105 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.940270901 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:09.940726995 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:09.940732002 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.012922049 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.012991905 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.013048887 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.035375118 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.035458088 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.035567999 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.050942898 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.051013947 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.051246881 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.053673029 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.053692102 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.053731918 CET49719443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.053740025 CET4434971913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.054341078 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.054366112 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.054378986 CET49720443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.054385900 CET4434972013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.152884960 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.152884960 CET49718443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.152911901 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.152921915 CET4434971813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.317306042 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.317351103 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.317471981 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.327199936 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.327214956 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.335179090 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.335211039 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.335302114 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.335444927 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.335455894 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.338205099 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.338217974 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.338283062 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.343790054 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.343801022 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.353121996 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.353184938 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.353235960 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.353458881 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.353472948 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.353539944 CET49722443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.353549004 CET4434972213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.362759113 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.362780094 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.362906933 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.371299982 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.371337891 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.394017935 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.394082069 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.394222975 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.394366026 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.394366026 CET49721443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.394381046 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.394388914 CET4434972113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.414268017 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.414304972 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:10.414540052 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.422517061 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:10.422528982 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.062351942 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.063395977 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.063429117 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.064963102 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.064969063 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.122416973 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.125524998 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.126573086 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.126604080 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.127034903 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.127039909 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.127264977 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.127279997 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.127551079 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.127556086 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.157967091 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.162651062 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.162678957 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.163068056 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.163074017 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.273819923 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.274688959 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.274708986 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.275078058 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.275082111 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.503773928 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.503870010 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.504041910 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.504270077 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.504290104 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.504303932 CET49727443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.504308939 CET4434972713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.507917881 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.507961035 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.511970997 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.512115955 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.512130976 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.570560932 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.570633888 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.576131105 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.576805115 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.576826096 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.576839924 CET49725443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.576844931 CET4434972513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.577491999 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.577550888 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.577847958 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.582972050 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.582988024 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.583018064 CET49726443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.583024025 CET4434972613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.586355925 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.586396933 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.586925983 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.586966991 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.586983919 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.587090969 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.587104082 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.587120056 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.587209940 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.587223053 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.603622913 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.603718996 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.603782892 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.603971958 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.603981972 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.603992939 CET49728443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.603996992 CET4434972813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.606443882 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.606471062 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.606543064 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.606704950 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.606713057 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.719290018 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.719345093 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.726720095 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.745018005 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.745040894 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.745048046 CET49729443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.745054007 CET4434972913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.747561932 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.747590065 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:12.751332045 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.762151957 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:12.762171030 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.310918093 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.311438084 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.311471939 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.311887980 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.311894894 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.383544922 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.384037971 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.384071112 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.384466887 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.384473085 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.418298006 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.418797970 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.418821096 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.419349909 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.419354916 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.442408085 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.442982912 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.443012953 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.443419933 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.443424940 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.482199907 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.482971907 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.482990980 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.483386993 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.483392000 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.759726048 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.759789944 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.759946108 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.760142088 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.760159969 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.760186911 CET49732443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.760193110 CET4434973213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.763863087 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.763897896 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.765805006 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.766083002 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.766099930 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.828589916 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.828664064 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.828742981 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.828995943 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.829015017 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.829030991 CET49733443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.829036951 CET4434973313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.832035065 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.832076073 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.832257032 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.832405090 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.832413912 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.862798929 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.862868071 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.863138914 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.863346100 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.863365889 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.863409042 CET49735443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.863414049 CET4434973513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.865813971 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.865852118 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.865937948 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.866046906 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.866069078 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.896727085 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.896791935 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.896945953 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.896975040 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.896986961 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.896997929 CET49734443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.897001982 CET4434973413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.899410963 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.899439096 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.899573088 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.899763107 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.899772882 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.920743942 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.920825958 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.921005011 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.921199083 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.921199083 CET49736443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.921221972 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.921227932 CET4434973613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.924398899 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.924438000 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:14.925033092 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.926757097 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:14.926769972 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.485253096 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.485826969 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.485846996 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.486275911 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.486279964 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.612921953 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.613861084 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.613876104 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.614267111 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.614270926 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.621053934 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.621406078 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.621429920 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.621928930 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.621934891 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.741216898 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.741585016 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.741596937 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.741981030 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.741986990 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.761142015 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.780700922 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.780719995 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.781114101 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.781119108 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.922153950 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.922241926 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.922297001 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.922491074 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.922491074 CET49738443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.922513008 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.922522068 CET4434973813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.925246954 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.925292015 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:16.925405025 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.925570011 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:16.925580978 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.084922075 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.085005045 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.085130930 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.085267067 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.085267067 CET49740443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.085283995 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.085293055 CET4434974013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.088181973 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.088222980 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.088315010 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.088490009 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.088505983 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.089188099 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.089273930 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.089549065 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.089549065 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.089582920 CET49739443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.089596987 CET4434973913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.091820002 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.091856003 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.091991901 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.092184067 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.092192888 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.189542055 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.189595938 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.189889908 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.190061092 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.190061092 CET49742443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.190078974 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.190087080 CET4434974213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.192934036 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.192962885 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.193164110 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.194046974 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.194061041 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.214087963 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.214144945 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.214289904 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.214318991 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.214325905 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.214333057 CET49741443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.214338064 CET4434974113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.216954947 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.216973066 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:17.217226028 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.217355013 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:17.217363119 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:18.472873926 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:18.475361109 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:18.475385904 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:18.475811958 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:18.475817919 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:18.822498083 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:18.822909117 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:18.822921991 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:18.823303938 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:18.823308945 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.073653936 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.073743105 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.074026108 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.074026108 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.074229002 CET49744443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.074246883 CET4434974413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.076884031 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.076922894 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.077081919 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.077251911 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.077261925 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.100364923 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.100670099 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.100841045 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.100850105 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.100881100 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.101032019 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.101041079 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.101289034 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.101294041 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.101423979 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.101428032 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.101636887 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.101650000 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.101964951 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.101972103 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.431025028 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.431107998 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.434400082 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.434576988 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.434576988 CET49745443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.434596062 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.434608936 CET4434974513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.438656092 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.438695908 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.439102888 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.439538002 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.439549923 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.552798986 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.552862883 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.553186893 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.553261995 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.553261995 CET49748443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.553277016 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.553280115 CET4434974813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.556926012 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.556962013 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.557166100 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.557328939 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.557339907 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.571069956 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.571146011 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.571388960 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.571419954 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.571436882 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.571446896 CET49747443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.571451902 CET4434974713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.571827888 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.571891069 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.571943998 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.572133064 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.572149992 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.572161913 CET49746443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.572168112 CET4434974613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.573839903 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.573879957 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.574147940 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.574176073 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.574208021 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.574305058 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.574383020 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.574398041 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:19.574449062 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:19.574460983 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:20.832135916 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:20.876626968 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:20.997415066 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:20.997432947 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:20.998065948 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:20.998070002 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.290378094 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.291718960 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.291737080 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.292191982 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.292196035 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.314749956 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.314827919 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.315177917 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.315416098 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.315438986 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.315452099 CET49750443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.315458059 CET4434975013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.317943096 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.317987919 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.318073034 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.318243027 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.318252087 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.358186007 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.358541012 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.358556986 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.359028101 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.359034061 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.371494055 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.372555971 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.372565985 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.372981071 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.372986078 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.415672064 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.417110920 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.417138100 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.417534113 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.417538881 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.745501041 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.745588064 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.745668888 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.745764017 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.745790958 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.745800972 CET49751443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.745809078 CET4434975113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.748255968 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.748295069 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.748353958 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.748497009 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.748506069 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.804461002 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.804532051 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.809365988 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.809576988 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.809576988 CET49752443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.809597015 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.809607983 CET4434975213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.812453985 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.812496901 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.812551022 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.812704086 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.812714100 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.817073107 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.817127943 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.817270041 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.817270041 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.817287922 CET49754443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.817292929 CET4434975413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.819303036 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.819346905 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.819410086 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.819511890 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.819525957 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.861562014 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.861612082 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.861757994 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.861793041 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.861793041 CET49753443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.861809969 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.861818075 CET4434975313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.863740921 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.863750935 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:21.863802910 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.863940001 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:21.863946915 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.102957964 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.116274118 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.116312027 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.116722107 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.116728067 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.355520964 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.355560064 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.355715990 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.377090931 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.377106905 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.550219059 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.551021099 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.551080942 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.559330940 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.579051018 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.602418900 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.617276907 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.619420052 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.659746885 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.660963058 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.681036949 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.685549021 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.685575008 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.687048912 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.687056065 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.687323093 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.687338114 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.687701941 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.687706947 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.687911034 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.687933922 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.688249111 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.688256025 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.688410997 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.688441038 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.688468933 CET49756443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.688476086 CET4434975613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.690557957 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.690567017 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.690908909 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.690912962 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.702698946 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.702739000 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:23.702810049 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.704890966 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:23.704901934 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.023575068 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.023643970 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.023711920 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.023866892 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.023881912 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.023896933 CET49759443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.023902893 CET4434975913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.027674913 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.027714968 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.027777910 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.027941942 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.027950048 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.047868967 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.047935009 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.048176050 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.048207045 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.048228979 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.048253059 CET49762443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.048259020 CET4434976213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.050575018 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.050611019 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.050812006 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.050925970 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.050940037 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.065805912 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.065862894 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.065922022 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.066005945 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.066020012 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.066042900 CET49761443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.066047907 CET4434976113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.068353891 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.068392038 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.068511963 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.068603992 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.068615913 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.182631969 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.182847977 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.182914972 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.182960033 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.182977915 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.182988882 CET49760443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.182993889 CET4434976013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.185439110 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.185487032 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:24.185563087 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.185689926 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:24.185700893 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.212230921 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.212404966 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.215080023 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.215095043 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.215356112 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.223334074 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.271327019 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.497735977 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.498580933 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.498598099 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.500046968 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.500052929 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.733166933 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.733217001 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.733297110 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.742767096 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.785321951 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.785321951 CET49764443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.785347939 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.785358906 CET4434976413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.845493078 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.853051901 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.864180088 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.864203930 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.864615917 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.864620924 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.864793062 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.864815950 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.865129948 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.865134954 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.919842958 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.930735111 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.930749893 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.931150913 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.931159019 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.944525957 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.944583893 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.945652962 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.946026087 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.946044922 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.946059942 CET49765443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.946067095 CET4434976513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.993577003 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.993630886 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:25.993707895 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.993880033 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:25.993891954 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.093957901 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.115427971 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.115453959 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.130755901 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.130765915 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.288599014 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.288662910 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.292825937 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.294980049 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.294980049 CET49768443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.294997931 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.295006990 CET4434976813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.309012890 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.309052944 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.309319973 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.311299086 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.311366081 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.311575890 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.311590910 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.313107967 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.313220978 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.313220978 CET49766443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.313236952 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.313247919 CET4434976613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.316468000 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.316497087 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.316570997 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.316828966 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.316838026 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.342112064 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.342123985 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.342303991 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.361665010 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.361675024 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.381714106 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.381769896 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.381915092 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.381978035 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.381995916 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.382005930 CET49767443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.382011890 CET4434976713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.384397984 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.384429932 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.384510040 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.384638071 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.384648085 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.549669981 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.549731016 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.550247908 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.550282001 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.550282001 CET49769443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.550298929 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.550308943 CET4434976913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.552567005 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.552592039 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:26.552772999 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.552930117 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:26.552941084 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:27.867995024 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:27.868432999 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:27.868452072 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:27.868868113 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:27.868876934 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.095901012 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.096493006 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.096513987 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.096918106 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.096923113 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.101049900 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.101342916 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.101428032 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.101444006 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.101779938 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.101798058 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.101819038 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.101824045 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.102212906 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.102216959 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.144824028 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.144891024 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.145944118 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.145950079 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.146183014 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.197506905 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.270256996 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.270581961 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.270593882 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.270972013 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.270976067 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.321234941 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.321317911 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.327929974 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.328332901 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.328332901 CET49771443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.328355074 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.328365088 CET4434977113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.331394911 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.331418991 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.331634998 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.331768990 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.331779957 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.536375999 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.536439896 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.539994001 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.540203094 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.540225983 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.540236950 CET49775443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.540242910 CET4434977513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.540750027 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.540925026 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.541248083 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.541601896 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.541620970 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.541670084 CET49772443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.541676044 CET4434977213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.543984890 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.544019938 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.544665098 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.544693947 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.544795036 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.544936895 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.544992924 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.545001984 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.545005083 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.545015097 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.546303988 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.546369076 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.555325985 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.560997963 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.561899900 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.561911106 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.561944962 CET49773443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.561949968 CET4434977313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.563842058 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.563875914 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.563987017 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.564125061 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.564136028 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.706336021 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.706429005 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.708012104 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.708230972 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.708259106 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.708276033 CET49776443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.708281994 CET4434977613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.710937977 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.710989952 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:28.711990118 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.712191105 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:28.712205887 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.428936005 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:29.428983927 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:29.429034948 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.938704014 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.938741922 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.938749075 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.938786983 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.938806057 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.938832045 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:29.938998938 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:29.981445074 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:29.981471062 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:29.981484890 CET49774443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:29.981491089 CET4434977413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.117434978 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.118529081 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.118556976 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.118957043 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.118962049 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.283801079 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.284315109 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.284343004 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.284837008 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.284842968 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.334728003 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.335238934 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.335262060 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.335681915 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.335686922 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.396874905 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.399677992 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.399708033 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.400185108 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.400193930 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.497606039 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.498083115 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.498109102 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.498518944 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.498523951 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.594875097 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.594949007 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.595170975 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.595211029 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.595231056 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.595242023 CET49778443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.595247030 CET4434977813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.597712994 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.597757101 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.597920895 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.598067999 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.598082066 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.720097065 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.720171928 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.720261097 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.720483065 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.720504999 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.720520973 CET49781443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.720525980 CET4434978113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.723423958 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.723460913 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.723836899 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.723836899 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.723870039 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.780884027 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.780949116 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.781188965 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.781188965 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.781220913 CET49779443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.781236887 CET4434977913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.784285069 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.784323931 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.784467936 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.784642935 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.784651041 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.850231886 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.850297928 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.851028919 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.851246119 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.851264000 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.851274967 CET49780443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.851280928 CET4434978013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.853818893 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.853862047 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.854011059 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.854202032 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.854211092 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.945544004 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.945601940 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.946165085 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.946387053 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.946403027 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.946408987 CET49782443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.946419001 CET4434978213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.948992968 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.949018955 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:30.958854914 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.972140074 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:30.972151995 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.321999073 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.323419094 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.323434114 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.323852062 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.323858023 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.444334030 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.444789886 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.444799900 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.445215940 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.445220947 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.586138964 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.586746931 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.586770058 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.587271929 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.587275982 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.698010921 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.699332952 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.699347973 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.699562073 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.699565887 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.761019945 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.761104107 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.761301994 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.761343956 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.761343956 CET49783443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.761363029 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.761372089 CET4434978313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.764081001 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.764115095 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.764256954 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.764409065 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.764420033 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.882169962 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.882255077 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.883981943 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.884012938 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.884027958 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.884036064 CET49784443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.884042978 CET4434978413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.895638943 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.895668030 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:32.895761013 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.895941973 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:32.895953894 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.032191038 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.032239914 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.035511017 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.035679102 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.035679102 CET49785443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.035692930 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.035701036 CET4434978513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.038234949 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.038259983 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.039186954 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.039354086 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.039365053 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.134171963 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.134238005 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.134305000 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.134502888 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.134502888 CET49787443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.134522915 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.134531975 CET4434978713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.137300968 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.137336016 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:33.137510061 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.137707949 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:33.137722969 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.546149015 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.546621084 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.546643972 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.547069073 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.547075033 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.621393919 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.622008085 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.622030020 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.622421026 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.622428894 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.636521101 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.643989086 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.644002914 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.644501925 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.644505978 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.929322004 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.929862022 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.929876089 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:34.930238962 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:34.930243969 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.058233976 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.058290005 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.058378935 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.058600903 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.058618069 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.058657885 CET49790443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.058671951 CET4434979013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.061336040 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.061378956 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.061511040 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.061702967 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.061714888 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.373724937 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.373784065 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.373975992 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.374041080 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.374063969 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.374070883 CET49792443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.374077082 CET4434979213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.376535892 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.376564980 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:35.376812935 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.376991987 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:35.377002954 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:36.864135027 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:36.864723921 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:36.864746094 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:36.865169048 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:36.865175962 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.097573996 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.098093033 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.098117113 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.098541021 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.098545074 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.319927931 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.320005894 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.320262909 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.320353985 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.320353985 CET49793443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.320364952 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.320374012 CET4434979313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.322690964 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.322726011 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.322808027 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.322932005 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.322943926 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.539026976 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.539043903 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.539094925 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.539163113 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.539330959 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.539346933 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.539361954 CET49795443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.539366961 CET4434979513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.541846037 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.541882992 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.541968107 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.542107105 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.542119980 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.569010019 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.569446087 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.569461107 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:37.569878101 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:37.569884062 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:38.015958071 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:38.016031027 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:38.016113043 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:38.016252041 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:38.016252041 CET49786443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:38.016273022 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:38.016278028 CET4434978613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:38.018944025 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:38.018982887 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:38.019097090 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:38.019224882 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:38.019234896 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.111763000 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.132055044 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.132071018 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.132469893 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.132474899 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.456178904 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.458442926 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.458451986 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.459005117 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.459009886 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.560781002 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.560879946 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.566046953 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.570938110 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.570965052 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.571046114 CET49796443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.571054935 CET4434979613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.574933052 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.574980021 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.575139999 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.575324059 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.575334072 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.803575993 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.804724932 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.804735899 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.805155993 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.805160046 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.933971882 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.934041977 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.934139013 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.934278011 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.934298038 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.934310913 CET49797443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.934317112 CET4434979713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.937279940 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.937325001 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:39.937405109 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.937536955 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:39.937555075 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.251243114 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.251266956 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.251333952 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.251343966 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.251821995 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.251821995 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.251837015 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.251991987 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.252023935 CET4434979913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.252903938 CET49799443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.254632950 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.254741907 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.254821062 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.254973888 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.255004883 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.820434093 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.820549011 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.820698023 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.820734978 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.820734978 CET49789443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.820761919 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.820771933 CET4434978913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.823137999 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.823183060 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.823275089 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.823416948 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.823431969 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.836214066 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.836734056 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.836798906 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.836822987 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.836822987 CET49791443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.836831093 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.836839914 CET4434979113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.839225054 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.839266062 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:40.839601040 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.839601040 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:40.839628935 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.427025080 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.437160969 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.437185049 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.437547922 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.437552929 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.652908087 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.662040949 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.662070990 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.662444115 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.662447929 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.886790037 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.886832952 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.891657114 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.893857956 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.923887968 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.923916101 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.923928976 CET49800443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.923933983 CET4434980013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.963773966 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.963829041 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:41.964086056 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.964308977 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:41.964327097 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.090048075 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.090071917 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.090145111 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.090161085 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.090570927 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.090570927 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.090584040 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.090734005 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.090760946 CET4434980113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.091238022 CET49801443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.093992949 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.094036102 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.094496965 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.094688892 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.094698906 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.117656946 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.118124962 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.118211031 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.118582010 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.118599892 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.573906898 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.574054003 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.574203014 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.574203014 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.574271917 CET49802443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.574310064 CET4434980213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.576952934 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.576992035 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.577066898 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.577224016 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.577234983 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.612519979 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.612922907 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.612951040 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.613348007 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.613353014 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.627799034 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.628284931 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.628305912 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:42.628638029 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:42.628647089 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.067440033 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.067519903 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.067708015 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.067745924 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.067766905 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.067780018 CET49804443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.067785978 CET4434980413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.070405006 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.070447922 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.070537090 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.070676088 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.070686102 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.079094887 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.082050085 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.082103968 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.082130909 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.082145929 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.082156897 CET49805443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.082161903 CET4434980513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.084896088 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.084929943 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.085016012 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.085160971 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.085170031 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.810647011 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.811170101 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.811187029 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.811608076 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.811614037 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.873883009 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.874342918 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.874362946 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:43.874754906 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:43.874758959 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.264930964 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.268270969 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.275346041 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.283272982 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.284638882 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.284655094 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.284666061 CET49806443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.284671068 CET4434980613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.293621063 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.293675900 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.298868895 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.318526983 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.318706989 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.323333025 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.329699993 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.329767942 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.330163002 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.332492113 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.332518101 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.332532883 CET49807443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.332540035 CET4434980713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.335267067 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.335299969 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.345168114 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.345700026 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.345720053 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.432610989 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.459606886 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.459614992 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.466308117 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.466312885 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.789253950 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.789665937 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.789691925 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.790036917 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.790040970 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.800487995 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.800848007 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.800862074 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.801191092 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.801194906 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.887331963 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.890084982 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.890284061 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.890316963 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.890333891 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.890343904 CET49808443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.890348911 CET4434980813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.892992973 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.893042088 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:44.893208027 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.893323898 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:44.893340111 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.226574898 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.226649046 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.226833105 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.226891041 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.226911068 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.226922035 CET49809443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.226927996 CET4434980913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.229495049 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.229532003 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.229712963 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.229826927 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.229835987 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.236360073 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.239418030 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.239474058 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.239495039 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.239506960 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.239511013 CET49810443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.239515066 CET4434981013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.241302967 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.241344929 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:45.241425037 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.241566896 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:45.241578102 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.050230026 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.050822973 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.050848961 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.051273108 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.051278114 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.127275944 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.127747059 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.127777100 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.128174067 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.128180027 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.487068892 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.487349033 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.487437010 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.487437963 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.487535954 CET49811443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.487576008 CET4434981113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.490220070 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.490261078 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.490370989 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.490524054 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.490534067 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.571325064 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.574561119 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.574718952 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.574771881 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.574771881 CET49812443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.574793100 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.574805021 CET4434981213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.580050945 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.580094099 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.580192089 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.580362082 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.580375910 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.778249025 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.792331934 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.792362928 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.792763948 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:46.792768955 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:46.973305941 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.025419950 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.028899908 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.028929949 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.037642956 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.037650108 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.069818020 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.069845915 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.077721119 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.077728987 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.231672049 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.235002995 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.235275030 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.235356092 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.235375881 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.235387087 CET49813443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.235393047 CET4434981313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.238255024 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.238279104 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.238475084 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.238706112 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.238714933 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.409961939 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.413089991 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.413165092 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.415591955 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.415818930 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.415848017 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.415863991 CET49814443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.415869951 CET4434981413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.418895960 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.418936014 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.419297934 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.419589996 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.419599056 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.478122950 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.481177092 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.481246948 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.481380939 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.481380939 CET49815443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.481403112 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.481412888 CET4434981513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.484124899 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.484173059 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:47.484256983 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.484409094 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:47.484421015 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.274887085 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.275321960 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.275355101 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.275751114 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.275757074 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.428884029 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.429366112 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.429380894 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.429789066 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.429794073 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.719919920 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.723140001 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.723201990 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.723206043 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.723315954 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.723354101 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.723371983 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.723383904 CET49816443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.723388910 CET4434981613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.726329088 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.726360083 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.726677895 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.726808071 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.726813078 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.882621050 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.885530949 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.885605097 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.885656118 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.885669947 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.886280060 CET49817443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.886286020 CET4434981713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.888942003 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.888978004 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:48.889147997 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.889324903 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:48.889339924 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.021117926 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.029926062 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.029943943 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.030419111 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.030424118 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.219175100 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.219995975 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.220024109 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.220390081 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.220395088 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.357234955 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.362104893 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.362128019 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.362524033 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.362529039 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.465991974 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.469152927 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.469713926 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.509038925 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.509064913 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.509105921 CET49818443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.509113073 CET4434981813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.512693882 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.512741089 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.522197962 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.526731014 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.526748896 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.664148092 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.667510033 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.671209097 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.712342978 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.712342978 CET49819443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.712364912 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.712378979 CET4434981913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.717794895 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.717890978 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.718174934 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.718580961 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.718615055 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.801563025 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.804725885 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.804768085 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.804775953 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.804796934 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.804871082 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.804892063 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.804909945 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.804915905 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.805529118 CET49820443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.805532932 CET4434982013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.807545900 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.807580948 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:49.807673931 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.807810068 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:49.807818890 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.510052919 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.510606050 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.510620117 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.511061907 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.511068106 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.606434107 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.606889963 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.606900930 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.607330084 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.607336998 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.954777956 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.958154917 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.959319115 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.959319115 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.959352016 CET49822443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.959367037 CET4434982213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.961795092 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.961836100 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:50.961930990 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.962054014 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:50.962066889 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.049055099 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.052207947 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.052980900 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.053056955 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.053056955 CET49823443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.053076029 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.053081989 CET4434982313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.055228949 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.055290937 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.055716038 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.055835962 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.055851936 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.325748920 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.326262951 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.326281071 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.326801062 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.326806068 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.595346928 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.595791101 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.595808983 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.596190929 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.596194983 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.845218897 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.845283985 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.845386028 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.845428944 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.848356962 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.848356962 CET49824443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.848371029 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.848381042 CET4434982413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.849611044 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.849618912 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.850066900 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.850070953 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.851484060 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.851501942 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:51.851564884 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.851680994 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:51.851691961 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.170644999 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.173358917 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.173413038 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.176281929 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.306375980 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.306375980 CET49825443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.306392908 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.306396961 CET4434982513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.311050892 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.311142921 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.314141989 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.326955080 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.326955080 CET49827443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.326963902 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.326972008 CET4434982713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.350684881 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.350747108 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.350898981 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.351696014 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.351711035 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.352966070 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.353003979 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.353085995 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.353207111 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.353215933 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.797539949 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.813137054 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.813165903 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.813699961 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.813705921 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.830882072 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.847790956 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.847824097 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:52.848217010 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:52.848222017 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.233695984 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.236998081 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.237063885 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.237112045 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.237131119 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.237142086 CET49829443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.237147093 CET4434982913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.239758968 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.239789009 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.239877939 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.240015984 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.240024090 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.284959078 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.288649082 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.288706064 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.288780928 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.288813114 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.288825035 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.288834095 CET49828443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.288837910 CET4434982813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.291080952 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.291115046 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.291585922 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.291585922 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.291615963 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.637096882 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.637629986 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.637656927 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:53.638065100 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:53.638072014 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.083626986 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.083703041 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.083774090 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.083934069 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.083955050 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.083966017 CET49830443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.083971977 CET4434983013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.086580038 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.086611986 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.086805105 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.086978912 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.086991072 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.094783068 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.095236063 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.095251083 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.096739054 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.096751928 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.132333994 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.133102894 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.133131981 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.133610964 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.133616924 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.529680014 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.529823065 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.529898882 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.535331964 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.544408083 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.546005011 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.546022892 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.546032906 CET49832443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.546037912 CET4434983213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.548475027 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.548511982 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.550411940 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.550580978 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.550594091 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.579511881 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.582411051 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.586261034 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.586292982 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.586292982 CET49831443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.586308956 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.586318016 CET4434983113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.588269949 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.588293076 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.590528965 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.590643883 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.590656042 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.993721962 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.994204044 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.994230986 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:54.995644093 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:54.995651007 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.088110924 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.088766098 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.088783026 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.089195013 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.089202881 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.429397106 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.433023930 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.433128119 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.433160067 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.433160067 CET49834443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.433177948 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.433186054 CET4434983413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.435725927 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.435770035 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.435889959 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.436028004 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.436043978 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.534521103 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.537945986 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.538044930 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.538085938 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.538085938 CET49835443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.538108110 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.538116932 CET4434983513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.540626049 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.540653944 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.540723085 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.540857077 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.540868044 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.880604029 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.881047964 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.881062031 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:55.883199930 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:55.883203983 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.334059954 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.336605072 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.336673021 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.336735964 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.336755037 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.336767912 CET49836443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.336775064 CET4434983613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.339303017 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.339335918 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.339406967 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.339540958 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.339551926 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.415659904 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.416105986 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.416119099 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.417592049 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.417598963 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.860687017 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.863590002 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.864154100 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.864260912 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.864280939 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.864305973 CET49838443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.864311934 CET4434983813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.867000103 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.867038012 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:56.868613005 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.869209051 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:56.869225025 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.156415939 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.170037985 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.170052052 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.171601057 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.171611071 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.381608963 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.387072086 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.387085915 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.393902063 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.393908978 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.668064117 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.671181917 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.671252966 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.671292067 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.671292067 CET49839443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.671310902 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.671325922 CET4434983913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.674294949 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.674340010 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.674530983 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.674901962 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.674915075 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.719780922 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.720273972 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.720284939 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.721842051 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.721848011 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.817737103 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.821171999 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.821233988 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.821281910 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.821299076 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.821326017 CET49840443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.821331024 CET4434984013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.823714972 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.823749065 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:57.825031996 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.825164080 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:57.825179100 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.177637100 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.180674076 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.180738926 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.180819988 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.180819988 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.180860996 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.180860996 CET49837443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.180877924 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.180886984 CET4434983713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.183614016 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.183660984 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.183731079 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.183887959 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.183902979 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.347856998 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.349803925 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.349824905 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.351479053 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.351483107 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.668556929 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.669008017 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.669022083 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.670438051 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.670443058 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.904284000 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.904357910 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.904467106 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.904661894 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.904720068 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.904736042 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.904758930 CET49841443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.904763937 CET4434984113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.907438993 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.907481909 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:58.907589912 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.907741070 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:58.907764912 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.112472057 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.116141081 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.119595051 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.119667053 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.119667053 CET49842443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.119682074 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.119690895 CET4434984213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.122914076 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.122947931 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.124130011 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.124223948 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.124239922 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.537077904 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.538072109 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.538090944 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.538537979 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.538543940 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.790157080 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.817554951 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.817574978 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.818046093 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.818052053 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.974936008 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.978161097 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.983328104 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.986653090 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.991159916 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.991183043 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:46:59.991192102 CET49843443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:46:59.991198063 CET4434984313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.067179918 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.067229033 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.067318916 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.072350025 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.072376013 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.088794947 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.089386940 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.089401007 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.089797020 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.089802980 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.243438005 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.246879101 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.247035980 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.247035980 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.247071028 CET49844443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.247092962 CET4434984413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.249768019 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.249808073 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.249931097 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.250051022 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.250061989 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.543116093 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.546058893 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.546113014 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.546125889 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.546142101 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.546222925 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.546260118 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.546281099 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.546292067 CET49845443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.546297073 CET4434984513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.549638987 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.549694061 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.549771070 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.549897909 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.549911976 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.720738888 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.721169949 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.721187115 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.721613884 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.721617937 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.983419895 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.983907938 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.983917952 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:00.984359980 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:00.984363079 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.164772987 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.168360949 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.168478966 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.168478966 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.168524027 CET49846443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.168541908 CET4434984613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.171948910 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.171984911 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.172106981 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.172328949 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.172342062 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.440330982 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.443871975 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.443929911 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.444022894 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.444065094 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.444087982 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.444098949 CET49847443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.444104910 CET4434984713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.454438925 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.454483986 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.456065893 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.456267118 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.456278086 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.854619026 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.855122089 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.855146885 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.855741024 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.855746031 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.984610081 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.985070944 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.985093117 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:01.985474110 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:01.985477924 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.351181984 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.351254940 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.352066040 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.352297068 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.352315903 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.352328062 CET49848443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.352339029 CET4434984813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.353904963 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.354721069 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.354753971 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.354826927 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.355114937 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.355123997 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.355506897 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.355523109 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.355617046 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.355629921 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.432051897 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.432084084 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.432137966 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.439328909 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.446341038 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.454603910 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.454634905 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.454699039 CET49849443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.454710960 CET4434984913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.457462072 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.457498074 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.457607985 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.457851887 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.457864046 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.800558090 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.803747892 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.803809881 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.803849936 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.803849936 CET49850443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.803869963 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.803874016 CET4434985013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.806274891 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.806312084 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:02.806463003 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.806760073 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:02.806772947 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.018868923 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.019593954 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.019608974 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.020010948 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.020015955 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.257247925 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.265954018 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.265965939 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.266377926 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.266383886 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.472204924 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.475181103 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.475219965 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.475332975 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.475384951 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.475384951 CET49851443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.475403070 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.475414038 CET4434985113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.478122950 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.478163004 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.478390932 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.478563070 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.478574038 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.701725960 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.704844952 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.704941988 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.704984903 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.704998016 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.705008984 CET49852443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.705015898 CET4434985213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.707544088 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.707564116 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:03.707688093 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.707843065 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:03.707854986 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.159440041 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.160130024 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.160156965 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.160635948 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.160643101 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.247415066 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.248553038 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.248579979 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.249002934 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.249010086 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.605048895 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.608103991 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.608171940 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.608174086 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.608243942 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.608304977 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.608325005 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.608335018 CET49853443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.608340025 CET4434985313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.611875057 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.611896992 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.612060070 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.612237930 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.612247944 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.652324915 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.652812958 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.652827978 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.653388977 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.653393030 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.691694021 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.695136070 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.695214987 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.695255995 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.695271015 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.695287943 CET49854443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.695292950 CET4434985413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.698359966 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.698386908 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:04.698688030 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.698862076 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:04.698869944 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.107194901 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.107300043 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.112762928 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.129548073 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.129575968 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.129585981 CET49855443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.129590988 CET4434985513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.153132915 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.153189898 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.156295061 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.176871061 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.176892996 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.196547031 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.247744083 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.303270102 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.303301096 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.303700924 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.303705931 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.426589966 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.427098989 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.427120924 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.427539110 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.427544117 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.631304979 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.631375074 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.631525040 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.631773949 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.631783009 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.631794930 CET49856443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.631798983 CET4434985613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.634305000 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.634337902 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.638016939 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.640780926 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.640794992 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.863435984 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.866817951 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.866878033 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.866981983 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.867012024 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.867024899 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.867036104 CET49857443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.867042065 CET4434985713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.869826078 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.869873047 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:05.869982004 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.870126009 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:05.870136023 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.419617891 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.420061111 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.420075893 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.420507908 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.420514107 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.461158991 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.461709023 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.461738110 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.462141991 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.462147951 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.855304956 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.858474970 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.858529091 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.859035015 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.859092951 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.859092951 CET49859443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.859107018 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.859114885 CET4434985913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.864027023 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.864070892 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.869083881 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.869083881 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.869117975 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.919246912 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.922609091 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.922715902 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.922715902 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.922868967 CET49858443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.922888041 CET4434985813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.925415039 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.925458908 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.925638914 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.925689936 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.925695896 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.958348989 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.959188938 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.959188938 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:06.959208965 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:06.959222078 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.402791023 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.405931950 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.408747911 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.408747911 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.410103083 CET49860443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.410124063 CET4434986013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.415668011 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.415703058 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.422976971 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.423544884 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.423557043 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.493608952 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.497380972 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.497420073 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.498166084 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.498174906 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.715662956 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.780241966 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.790091991 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.790128946 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.802362919 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.802382946 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.948520899 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.951689005 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.953351021 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.953555107 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.953582048 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.953594923 CET49861443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.953602076 CET4434986113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.956264973 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.956299067 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:07.956372023 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.956515074 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:07.956522942 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.171000957 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.174026012 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.174181938 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.174237967 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.174248934 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.174261093 CET49862443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.174266100 CET4434986213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.177007914 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.177032948 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.177251101 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.177251101 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.177277088 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.650959015 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.651448965 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.651479959 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.651901007 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.651906013 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.717653036 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.720980883 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.721004009 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:08.721438885 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:08.721443892 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.098526001 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.098547935 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.098593950 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.099041939 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.099399090 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.099421978 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.099437952 CET49863443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.099442959 CET4434986313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.102070093 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.102109909 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.104732990 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.104903936 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.104918003 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.163248062 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.163363934 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.163490057 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.163512945 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.163533926 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.163546085 CET49864443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.163552999 CET4434986413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.166210890 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.166246891 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.166316986 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.166429996 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.166443110 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.219569921 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.219970942 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.219990015 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.220398903 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.220403910 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.679553032 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.679585934 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.679641962 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.679712057 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.679943085 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.679943085 CET49865443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.679960012 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.679968119 CET4434986513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.682781935 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.682825089 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.682971001 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.683111906 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.683125019 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.807455063 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.807965040 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.807976007 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.808414936 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.808423996 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.893215895 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.893734932 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.893748999 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:09.894176006 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:09.894181013 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.268723965 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.271825075 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.278501034 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.278718948 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.278743029 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.278753996 CET49866443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.278759003 CET4434986613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.292634010 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.292680979 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.296149969 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.298913956 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.298929930 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.328668118 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.332094908 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.335359097 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.335726023 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.335726023 CET49867443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.335735083 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.335738897 CET4434986713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.423491955 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.423521996 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.423624992 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.435489893 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.435507059 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.826412916 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.827847004 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.827873945 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.828294992 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.828300953 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.971538067 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.972240925 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.972259045 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:10.972693920 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:10.972700119 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.268836021 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.272526979 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.272851944 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.273078918 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.273101091 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.273117065 CET49868443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.273123026 CET4434986813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.275780916 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.275835991 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.275933981 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.276141882 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.276158094 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.428308010 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.431688070 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.434881926 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.435046911 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.435046911 CET49869443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.435070038 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.435081005 CET4434986913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.437556028 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.437593937 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.437799931 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.437901020 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.437913895 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.546279907 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.546791077 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.546818018 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:11.547336102 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:11.547343016 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.001643896 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.001801014 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.001955032 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.002016068 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.002032995 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.002044916 CET49870443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.002049923 CET4434987013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.004822016 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.004858017 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.005418062 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.005589008 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.005597115 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.092367887 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.092791080 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.092813969 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.093225002 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.093236923 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.173089027 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.173614025 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.173639059 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.174103975 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.174113035 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.561345100 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.564179897 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.564261913 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.564326048 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.564326048 CET49871443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.564342976 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.564352036 CET4434987113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.567135096 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.567161083 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.567297935 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.567429066 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.567450047 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.611977100 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.624142885 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.626166105 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.626221895 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.626240015 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.626276970 CET49872443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.626282930 CET4434987213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.629036903 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.629100084 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:12.629709005 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.634007931 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:12.634027958 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.059144020 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.105983019 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.125751972 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.125761032 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.127625942 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.127638102 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.217892885 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.218524933 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.218542099 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.218961000 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.218966961 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.505639076 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.508668900 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.508722067 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.509296894 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.509567022 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.509591103 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.509604931 CET49873443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.509612083 CET4434987313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.512280941 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.512319088 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.512588978 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.512778997 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.512790918 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.662714005 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.665859938 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.671345949 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.672185898 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.674065113 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.674065113 CET49874443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.674093962 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.674107075 CET4434987413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.676862955 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.676914930 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.680227995 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.680440903 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.680463076 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.807064056 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.807533979 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.807549000 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:13.808031082 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:13.808036089 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.253925085 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.257144928 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.257210016 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.257245064 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.257245064 CET49875443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.257265091 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.257272959 CET4434987513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.259844065 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.259876966 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.259983063 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.260116100 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.260128975 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.431284904 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.431781054 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.431797981 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.432240009 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.432244062 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.438918114 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.439333916 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.439344883 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.439721107 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.439727068 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.877676010 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.877696991 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.877794027 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.877820015 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.877979994 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.877985954 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.878005028 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.878143072 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.878173113 CET4434987713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.878650904 CET49877443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.880536079 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.880570889 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.882888079 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.883058071 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.883074045 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.894721985 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.898272991 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.898519993 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.898571014 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.898571014 CET49876443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.898588896 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.898598909 CET4434987613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.901247978 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.901264906 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:14.901340008 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.901463032 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:14.901482105 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.377791882 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.379086018 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.379098892 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.379504919 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.379508972 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.549455881 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.554434061 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.554452896 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.554862022 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.554866076 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.824696064 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.828109026 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.828166008 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.828214884 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.828258038 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.828274965 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.828284979 CET49878443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.828290939 CET4434987813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.831185102 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.831243992 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:15.831334114 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.831471920 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:15.831486940 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.004157066 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.007704973 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.007750988 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.007765055 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.007981062 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.008029938 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.008049965 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.008069038 CET49879443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.008074999 CET4434987913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.010521889 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.010562897 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.010660887 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.010786057 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.010797977 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.047859907 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.048356056 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.048371077 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.048779011 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.048784018 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.491802931 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.494967937 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.495389938 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.496292114 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.496304989 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.496319056 CET49880443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.496325970 CET4434988013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.498955011 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.499005079 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.500514984 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.500603914 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.500611067 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.736635923 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.737111092 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.737135887 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:16.737565041 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:16.737571001 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.220551014 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.223630905 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.223690033 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.223762035 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.223809958 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.223829031 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.223841906 CET49881443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.223848104 CET4434988113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.226573944 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.226615906 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.226846933 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.227174044 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.227186918 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.284882069 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.285429955 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.285444975 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.285850048 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.285855055 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.648839951 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.652443886 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.652462959 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.652834892 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.652838945 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.695641041 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.696024895 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.696048975 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.696427107 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.696433067 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.740417957 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.743387938 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.743452072 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.743489027 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.743499994 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.743511915 CET49882443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.743516922 CET4434988213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.746191978 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.746228933 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:17.746460915 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.746609926 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:17.746620893 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.105995893 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.108808041 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.108860970 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.116044998 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.120846987 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.120870113 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.120882034 CET49884443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.120888948 CET4434988413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.127589941 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.127629995 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.129219055 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.129508018 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.129523993 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.141041994 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.141068935 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.144480944 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.155334949 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.155832052 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.156168938 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.156193018 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.156205893 CET49883443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.156212091 CET4434988313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.158878088 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.158916950 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.159001112 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.159157038 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.159168959 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.226747990 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.232276917 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.232314110 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.239619970 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.239625931 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.661330938 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.661381006 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.661434889 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.661565065 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.661765099 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.661782980 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.661793947 CET49885443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.661799908 CET4434988513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.664582968 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.664614916 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:18.664753914 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.664834023 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:18.664844036 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.021667957 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.022191048 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.022206068 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.022639990 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.022644043 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.467982054 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.470927954 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.471002102 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.471060038 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.471081972 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.471103907 CET49886443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.471110106 CET4434988613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.473716021 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.473752022 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.475732088 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.475869894 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.475878954 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.603157043 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.603729010 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.603754044 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.604068995 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.604079962 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.975158930 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.975677013 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.975692034 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:19.976131916 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:19.976141930 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.024050951 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.024578094 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.024602890 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.025124073 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.025130033 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.058926105 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.061434984 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.061532974 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.061573029 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.061573029 CET49887443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.061590910 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.061602116 CET4434988713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.064188004 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.064235926 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.064331055 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.064490080 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.064502001 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.387015104 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.387470007 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.387490988 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.387923956 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.387928963 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.421384096 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.421510935 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.421559095 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.421700954 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.421730995 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.421730995 CET49889443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.421751022 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.421758890 CET4434988913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.424303055 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.424355030 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.424455881 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.424599886 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.424613953 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.564002037 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.566942930 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.569081068 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.570631027 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.570631027 CET49888443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.570652008 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.570656061 CET4434988813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.573106050 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.573141098 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.584539890 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.586210966 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.586220980 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.822586060 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.825773001 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.828413963 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.831788063 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.831788063 CET49890443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.831801891 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.831813097 CET4434989013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.908647060 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.908700943 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:20.908893108 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.909229994 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:20.909243107 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.324224949 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.324898958 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.324912071 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.325299025 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.325303078 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.781719923 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.784446955 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.784498930 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.786051035 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.786221027 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.786240101 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.786248922 CET49891443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.786254883 CET4434989113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.787825108 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.788624048 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.788644075 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.788779020 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.788892031 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.788906097 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.789001942 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.789019108 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:21.789269924 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:21.789275885 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.210520983 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.211127996 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.211153984 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.211517096 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.211524963 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.388792992 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.391814947 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.396531105 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.396908998 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.396931887 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.396965981 CET49892443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.396972895 CET4434989213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.399884939 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.399981976 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.400114059 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.400238037 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.400268078 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.514576912 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.515841961 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.515853882 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.516257048 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.516264915 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.625458956 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.625926018 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.625963926 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.626370907 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.626380920 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.790152073 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.790276051 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.790329933 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.790405035 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.790456057 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.790493965 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.790493965 CET49893443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.790525913 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.790539980 CET4434989313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.792897940 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.792929888 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.793025970 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.793179989 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.793193102 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.973861933 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.977968931 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.978094101 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.978094101 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.978166103 CET49894443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.978183031 CET4434989413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.980606079 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.980699062 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:22.980870962 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.980932951 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:22.980948925 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.070214033 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.073476076 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.073657990 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.074012995 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.074029922 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.074064970 CET49895443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.074069977 CET4434989513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.076570988 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.076617002 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.076828957 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.076982021 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.076996088 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.797199011 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.800448895 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.800462008 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:23.800930977 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:23.800936937 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.121994972 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.122457981 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.122493029 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.122890949 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.122917891 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.250582933 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.253802061 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.253870964 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.253914118 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.253914118 CET49896443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.253926039 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.253933907 CET4434989613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.256894112 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.256933928 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.257015944 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.257153034 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.257163048 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.559071064 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.561865091 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.562465906 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.562465906 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.562537909 CET49897443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.562589884 CET4434989713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.564889908 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.564928055 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.565074921 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.565217972 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.565227032 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.583456039 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.583810091 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.583822012 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.584198952 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.584204912 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.925067902 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.925580978 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.925606012 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:24.925995111 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:24.926000118 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.030469894 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.035433054 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.037172079 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.037234068 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.037250996 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.037264109 CET49898443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.037271023 CET4434989813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.039582014 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.039621115 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.039850950 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.039974928 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.039983034 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.444334984 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.447035074 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.447185040 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.447240114 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.447240114 CET49900443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.447267056 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.447278976 CET4434990013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.450113058 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.450257063 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:25.450328112 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.450488091 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:25.450531960 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.481852055 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.482259035 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:26.482274055 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.482662916 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:26.482670069 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.615767956 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.616322994 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:26.616349936 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.616734982 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:26.616739988 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.825711012 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.826242924 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:26.826275110 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:26.826661110 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:26.826667070 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.018953085 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.022581100 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.022646904 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.022650003 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.022732019 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.022885084 CET49901443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.022907972 CET4434990113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.025612116 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.025643110 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.025778055 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.025918961 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.025933027 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.060203075 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.060587883 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.062992096 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.063596010 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.063617945 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.063652992 CET49902443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.063659906 CET4434990213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.066572905 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.066654921 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.066732883 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.066900015 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.066931009 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.281054020 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.281091928 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.281146049 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.281832933 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.282167912 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.282169104 CET49903443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.282195091 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.282205105 CET4434990313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.285002947 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.285028934 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.294684887 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.294981003 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.294994116 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.750751972 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.751328945 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.751396894 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:27.751768112 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:27.751784086 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.034075022 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.034682989 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.034734011 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.035243034 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.035255909 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.277627945 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.277900934 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.281630993 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.282058001 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.282077074 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.282083035 CET49904443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.282088041 CET4434990413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.285506964 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.285557985 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.303797007 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.305763960 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.305802107 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.563395023 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.563433886 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.563488960 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.563621044 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.575361967 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.575361967 CET49899443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.575406075 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.575488091 CET4434989913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.616477013 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.616509914 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.619787931 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.644037008 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.644048929 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.830205917 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.830662012 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.830682039 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.831199884 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.831206083 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.860070944 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.860797882 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.860837936 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:28.861193895 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:28.861207962 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.137157917 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.137865067 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.137887955 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.138304949 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.138309956 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.338696003 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.339287043 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.342459917 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.342477083 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.342504025 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.342550993 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.342560053 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.342588902 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.342657089 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.342657089 CET49906443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.342700958 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.342720985 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.342725992 CET4434990613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.342737913 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.342750072 CET49905443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.342755079 CET4434990513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.345546961 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.345549107 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.345591068 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.345591068 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.345676899 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.345690012 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.345839977 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.345854044 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.345870972 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.345880985 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.582792997 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.582818985 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.582868099 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.584979057 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.585185051 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.585195065 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.585207939 CET49907443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.585215092 CET4434990713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.588076115 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.588118076 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:29.588411093 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.588557005 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:29.588571072 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.165654898 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.166263103 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.166285038 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.166757107 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.166762114 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.362793922 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.363989115 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.363989115 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.364020109 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.364056110 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.733997107 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.734016895 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.734067917 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.735230923 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.735479116 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.735479116 CET49908443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.735496044 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.735505104 CET4434990813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.737962008 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.737993002 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:30.740158081 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.740277052 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:30.740283012 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.058501005 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.061465979 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.061521053 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.074212074 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.170193911 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.170226097 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.170239925 CET49909443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.170247078 CET4434990913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.229175091 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.229223967 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.232574940 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.242804050 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.263293028 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.287478924 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.307766914 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.313404083 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.313419104 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.313735962 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.313755035 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.314165115 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.314174891 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.314811945 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.314826965 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.315190077 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.315197945 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.447449923 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.450570107 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.450594902 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.451138973 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.451145887 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.679254055 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.681929111 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.681971073 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.681987047 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.682027102 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.682065010 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.682085037 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.682090044 CET49911443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.682094097 CET4434991113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.684883118 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.684936047 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.685040951 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.685195923 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.685214043 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.711055994 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.714323044 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.714411020 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.714411020 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.714438915 CET49910443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.714451075 CET4434991013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.716928959 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.716952085 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.717144012 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.717308044 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.717319012 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.906491041 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.909787893 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.909841061 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.909869909 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.909888983 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.909905910 CET49912443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.909910917 CET4434991213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.912204981 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.912245989 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:31.912347078 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.912451982 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:31.912473917 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.523051023 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.523783922 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.523797989 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.524374962 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.524380922 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.967755079 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.971232891 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.971286058 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.972337008 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.972387075 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.972409010 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.972425938 CET49913443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.972433090 CET4434991313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.976706982 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.976783037 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:32.976885080 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.977004051 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:32.977020025 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.159086943 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.160556078 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.160588026 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.160984993 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.160989046 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.467408895 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.468583107 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.468602896 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.468883038 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.468888044 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.518781900 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.522672892 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.522687912 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.522964001 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.522968054 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.614275932 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.614412069 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.619159937 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.627928019 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.627954960 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.627969027 CET49914443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.627974033 CET4434991413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.630341053 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.630378962 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.637082100 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.639796972 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.639811993 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.778443098 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.787630081 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.787657022 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.788048029 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.788055897 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.917870045 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.921305895 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.921360016 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.921453953 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.921605110 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.921819925 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.921834946 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.921958923 CET49915443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.921963930 CET4434991513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.924403906 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.924449921 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.924551010 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.924736023 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.924747944 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.962861061 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.967097998 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.967300892 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.967340946 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.967360020 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.967371941 CET49916443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.967380047 CET4434991613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.970218897 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.970261097 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:33.970331907 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.970468998 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:33.970488071 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.234500885 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.237219095 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.237257957 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.237271070 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.237334013 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.237410069 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.237423897 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.237437010 CET49917443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.237442017 CET4434991713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.240331888 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.240371943 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.241797924 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.241939068 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.241954088 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.830734968 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.832003117 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.832041025 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:34.832433939 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:34.832441092 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.284190893 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.287673950 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.287854910 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.287856102 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.287856102 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.290429115 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.290467978 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.290558100 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.290710926 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.290719986 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.510185957 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.512813091 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.512844086 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.513247967 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.513253927 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.597095013 CET49918443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.597126961 CET4434991813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.690661907 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.694602966 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.694629908 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.694998026 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.695004940 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.722940922 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.726622105 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.726635933 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.726944923 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.726948977 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.963536024 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.963609934 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.967350960 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.968252897 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.968271017 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.968307972 CET49919443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.968313932 CET4434991913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.971193075 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.971242905 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:35.972544909 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.972775936 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:35.972795010 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.091417074 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.099400043 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.099433899 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.099808931 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.099813938 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.126418114 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.129599094 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.129679918 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.130662918 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.130675077 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.130686998 CET49921443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.130692005 CET4434992113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.133363962 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.133418083 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.136133909 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.136282921 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.136302948 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.168730974 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.172384977 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.172451973 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.174660921 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.175128937 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.175151110 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.175163031 CET49920443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.175168991 CET4434992013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.228266001 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.228319883 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.230863094 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.230983019 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.230999947 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.930768967 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.930843115 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.930898905 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.931085110 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.931107044 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.931119919 CET49922443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.931126118 CET4434992213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.933913946 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.933955908 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:36.935638905 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.935892105 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:36.935906887 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.537971973 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.538403988 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.538434029 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.538846016 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.538852930 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.703465939 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.704077959 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.704112053 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.704483986 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.704488039 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.985615969 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.988512993 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.988539934 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.988909006 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.988913059 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.991208076 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.994921923 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.994962931 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.995018005 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.995062113 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.995066881 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.995078087 CET49923443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.995081902 CET4434992313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.997272968 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.997302055 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:37.997376919 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.997495890 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:37.997505903 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.138679981 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.138986111 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.139072895 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.139127016 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.139138937 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.139147997 CET49924443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.139158010 CET4434992413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.142160892 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.142187119 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.142400026 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.142522097 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.142529964 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.444396973 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.447433949 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.447489977 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.447536945 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.447566032 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.447601080 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.447626114 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.447638035 CET49925443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.447644949 CET4434992513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.450218916 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.450254917 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.450328112 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.450453997 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.450469971 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.470848083 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.471256971 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.471275091 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.471704006 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.471709967 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.724852085 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.728481054 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.728504896 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.728883028 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.728887081 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.920041084 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.920110941 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.928889990 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.932838917 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.932856083 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.933084965 CET49926443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.933089972 CET4434992613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.991717100 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.991759062 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:38.992079973 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.992284060 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:38.992295027 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.170425892 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.173525095 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.174644947 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.175519943 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.175542116 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.175554037 CET49927443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.175564051 CET4434992713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.178426981 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.178479910 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.178628922 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.178745985 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.178755045 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.877265930 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.877789974 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.877799988 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.879383087 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.879386902 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.948292017 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.948805094 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.948822021 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:39.949249029 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:39.949256897 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.185846090 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.186944008 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.186944008 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.186978102 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.187000036 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.335747957 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.335779905 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.335824013 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.335948944 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.335948944 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.336219072 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.336219072 CET49929443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.336232901 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.336236000 CET4434992913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.339253902 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.339287043 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.339385033 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.339499950 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.339508057 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.395046949 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.398585081 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.402872086 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.403136969 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.403156996 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.403163910 CET49930443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.403172970 CET4434993013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.405834913 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.405880928 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.409487963 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.409670115 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.409684896 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.653630972 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.653726101 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.653781891 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.653996944 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.653996944 CET49931443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.654019117 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.654030085 CET4434993113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.657110929 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.657136917 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.657299042 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.657432079 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.657444954 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.663364887 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.666734934 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.666758060 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.667136908 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.667141914 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.962188005 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.962727070 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.962749004 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:40.963182926 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:40.963187933 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.116791010 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.120357990 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.120410919 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.124442101 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.124802113 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.124811888 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.124816895 CET49932443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.124820948 CET4434993213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.127768040 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.127805948 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.127871037 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.128027916 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.128040075 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.405872107 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.410022974 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.412410975 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.440047979 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.440087080 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.440102100 CET49933443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.440109015 CET4434993313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.442663908 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.442698956 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:41.443830013 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.444041967 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:41.444055080 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.126549959 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.127298117 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.127335072 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.127727032 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.127732992 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.259270906 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.259788036 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.259824991 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.260246992 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.260252953 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.449516058 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.450098038 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.450119019 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.450499058 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.450503111 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.577378035 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.580972910 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.581022024 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.581024885 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.581072092 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.581125021 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.581141949 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.581154108 CET49934443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.581159115 CET4434993413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.583467007 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.583498955 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.583559990 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.583686113 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.583697081 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.721041918 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.724244118 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.724327087 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.724473953 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.724473953 CET49935443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.724492073 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.724503040 CET4434993513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.726892948 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.726918936 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.726995945 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.727155924 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.727168083 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.903353930 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.906625986 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.906797886 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.906797886 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.906797886 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.909579992 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.909620047 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.909720898 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.909840107 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.909849882 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.920152903 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.920526981 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.920550108 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:42.921051025 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:42.921055079 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.195825100 CET49936443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.195867062 CET4434993613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.319411039 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.319972038 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.319988012 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.320413113 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.320416927 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.394956112 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.398313046 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.398390055 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.398431063 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.398449898 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.398459911 CET49937443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.398469925 CET4434993713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.401386023 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.401443958 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.401520967 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.401642084 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.401659966 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.776087046 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.779042959 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.779095888 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.779109955 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.779167891 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.779227972 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.779247046 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.779258013 CET49938443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.779263973 CET4434993813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.781572104 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.781613111 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:43.781678915 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.781805038 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:43.781812906 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.388978958 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.389534950 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.389549017 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.390023947 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.390028954 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.553744078 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.554205894 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.554234982 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.554649115 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.554658890 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.725132942 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.738823891 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.738851070 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.739258051 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.739262104 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.823998928 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.824084044 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.825022936 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.825342894 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.825361967 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.825397968 CET49939443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.825403929 CET4434993913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.828068018 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.828114033 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:44.828722954 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.828869104 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:44.828880072 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.001816988 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.005373955 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.005418062 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.005446911 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.005481005 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.005603075 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.005620003 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.005631924 CET49940443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.005637884 CET4434994013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.008311987 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.008353949 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.008466005 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.008611917 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.008620977 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.171483994 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.174843073 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.174947023 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.174976110 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.174992085 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.175004959 CET49941443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.175009966 CET4434994113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.177510023 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.177558899 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.177659988 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.177795887 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.177807093 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.603652000 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.604581118 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.604615927 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:45.605066061 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:45.605071068 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.048168898 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.051192999 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.051448107 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.051448107 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.051484108 CET49943443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.051508904 CET4434994313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.054060936 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.054110050 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.056117058 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.056389093 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.056405067 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.677922964 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.690979958 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.691011906 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.691440105 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.691447020 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.824872017 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.882390022 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.895131111 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.895142078 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:46.895570040 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:46.895574093 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.050232887 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.051585913 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.051597118 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.052048922 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.052053928 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.132364988 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.135502100 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.135580063 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.135603905 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.135621071 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.135632038 CET49944443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.135637045 CET4434994413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.138145924 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.138189077 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.138264894 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.138391018 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.138401985 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.268842936 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.272677898 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.272748947 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.272790909 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.272811890 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.272828102 CET49945443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.272834063 CET4434994513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.275351048 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.275393009 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.275599003 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.275716066 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.275728941 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.506160021 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.506186962 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.506248951 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.506292105 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.506331921 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.506545067 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.506567001 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.506598949 CET49946443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.506606102 CET4434994613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.509438038 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.509485006 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.509573936 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.509711981 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.509721994 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.707369089 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.714374065 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.714397907 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:47.714854002 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:47.714859009 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:48.158231020 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:48.161354065 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:48.161484003 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:48.161530018 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:48.161550999 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:48.161565065 CET49947443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:48.161570072 CET4434994713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:48.164015055 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:48.164050102 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:48.164187908 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:48.164375067 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:48.164387941 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.020072937 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.022099018 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.022133112 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.022552967 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.022561073 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.070977926 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.076997995 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.077024937 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.077431917 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.077436924 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.297451019 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.302345037 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.302370071 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.306489944 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.306495905 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.473584890 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.477061987 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.477135897 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.477204084 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.477235079 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.477252007 CET49948443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.477258921 CET4434994813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.479840994 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.479887962 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.479979038 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.480115891 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.480129957 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.521049976 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.524133921 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.524194002 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.524240017 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.524257898 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.524276972 CET49949443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.524281979 CET4434994913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.526823997 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.526856899 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.526930094 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.527055025 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.527071953 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.734288931 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.737334967 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.739088058 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.739201069 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.739222050 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.739232063 CET49950443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.739238024 CET4434995013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.741638899 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.741681099 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.742141962 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.742270947 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.742289066 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.927347898 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.927865982 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.927881956 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:49.928313017 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:49.928318977 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.367137909 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.370481968 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.370605946 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.370605946 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.370640039 CET49951443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.370655060 CET4434995113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.373887062 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.373915911 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.374017954 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.374197006 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.374206066 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.703706026 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.704195976 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.704219103 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:50.704663992 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:50.704670906 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.158251047 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.161401033 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.161457062 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.161467075 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.161501884 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.161571026 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.161596060 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.161608934 CET49942443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.161616087 CET4434994213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.164119005 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.164179087 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.168667078 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.168863058 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.168879032 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.291208982 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.292514086 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.292527914 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.292948961 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.292954922 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.409085989 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.412513971 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.412533045 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.412918091 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.412925005 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.531774998 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.532533884 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.532551050 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.532970905 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.532977104 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.737663031 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.740695000 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.740809917 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.740848064 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.740866899 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.740879059 CET49952443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.740885019 CET4434995213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.743649006 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.743695974 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.744158030 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.744304895 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.744318008 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.901227951 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.903578997 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.910337925 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:51.981204033 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.984349966 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.984400988 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:51.991100073 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.303662062 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.303695917 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.303708076 CET49953443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.303714037 CET4434995313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.304986954 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.304986954 CET49954443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.305022001 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.305033922 CET4434995413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.314747095 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.314791918 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.317523956 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.317575932 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.326839924 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.327150106 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.327881098 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.327898979 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.328120947 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.328134060 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.365365028 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.374682903 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.374700069 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.375260115 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.375266075 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.813261986 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.816209078 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.816270113 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.818869114 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.818869114 CET49955443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.818871975 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.818893909 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.818914890 CET4434995513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.818918943 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.819001913 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.819140911 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.819153070 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.954830885 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.955307007 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.955333948 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:52.955770016 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:52.955775976 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.410300016 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.413369894 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.413423061 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.413430929 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.413482904 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.413553953 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.413575888 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.413589954 CET49956443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.413595915 CET4434995613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.416654110 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.416702986 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.416866064 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.417052984 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.417062044 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.592669964 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.593234062 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.593266010 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:53.593689919 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:53.593696117 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.046596050 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.050014973 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.050187111 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.050229073 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.050229073 CET49957443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.050257921 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.050271034 CET4434995713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.052704096 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.052747965 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.052927017 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.053082943 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.053097963 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.117197990 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.117511034 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.117722988 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.117742062 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.118196011 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.118200064 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.118700981 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.118735075 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.119036913 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.119045019 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.438927889 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.439415932 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.439443111 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.439858913 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.439862967 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.564088106 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.564929962 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.565479040 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.565530062 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.565552950 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.565587044 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.565624952 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.565649033 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.565660954 CET49958443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.565665960 CET4434995813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.567512035 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.568160057 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.568223953 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.568243980 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.568254948 CET49959443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.568260908 CET4434995913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.568464994 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.568526030 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.568783045 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.568892956 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.568912029 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.570238113 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.570271969 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.570342064 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.570461988 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.570473909 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.886137962 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.891779900 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.892147064 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.892198086 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.892216921 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.892227888 CET49960443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.892232895 CET4434996013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.895334959 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.895374060 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:54.895435095 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.895637989 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:54.895642996 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.148350000 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.149337053 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.149369955 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.149759054 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.149763107 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.598815918 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.598895073 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.600200891 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.600379944 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.600404978 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.600419044 CET49961443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.600424051 CET4434996113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.603193998 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.603240967 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.603329897 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.603460073 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.603471994 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.907114029 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.907589912 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.907618999 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:55.908056021 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:55.908061981 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.774847031 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.774883986 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.774934053 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.774949074 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.774986982 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.775204897 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.775227070 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.775238037 CET49962443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.775243044 CET4434996213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.776079893 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.776523113 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.776531935 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.776959896 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.776963949 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.777255058 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.777972937 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.777997971 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.778314114 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.778346062 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.778351068 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.778361082 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:56.778522968 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.778706074 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:56.778719902 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.201101065 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.201577902 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.201611996 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.202009916 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.202016115 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.213136911 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.216571093 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.216639996 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.216716051 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.216734886 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.216746092 CET49963443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.216751099 CET4434996313.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.218992949 CET49968443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.219016075 CET4434996813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.219942093 CET49968443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.220233917 CET49968443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.220246077 CET4434996813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.222538948 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.222594976 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.222707987 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.222737074 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.222737074 CET49964443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.222754002 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.222767115 CET4434996413.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.225351095 CET49969443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.225399971 CET4434996913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.230479956 CET49969443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.230748892 CET49969443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.230768919 CET4434996913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.449517012 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.449943066 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.449965954 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.450382948 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.450387955 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.660780907 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.660809994 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.660902023 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.660923004 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.661117077 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.661128998 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.661211967 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.661309004 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.661339998 CET4434996513.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.661849976 CET49965443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.663850069 CET49970443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.663893938 CET4434997013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.663976908 CET49970443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.664129019 CET49970443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.664141893 CET4434997013.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.904318094 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.904392004 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.904649019 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.904784918 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.904843092 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.904908895 CET49966443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.904926062 CET4434996613.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.907454967 CET49971443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.907501936 CET4434997113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:57.908168077 CET49971443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.908305883 CET49971443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:57.908322096 CET4434997113.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:58.719944000 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:58.720402956 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:58.720431089 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:58.720869064 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:58.720874071 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.004272938 CET4434996813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.004762888 CET49968443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.004785061 CET4434996813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.005206108 CET49968443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.005211115 CET4434996813.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.081362009 CET4434996913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.081856966 CET49969443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.081896067 CET4434996913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.082355976 CET49969443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.082364082 CET4434996913.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.178374052 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.178406000 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.178459883 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.178476095 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.178891897 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.178891897 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.178906918 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.179054022 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.179086924 CET4434996713.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.179493904 CET49967443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.181370020 CET49972443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.181395054 CET4434997213.107.246.63192.168.2.7
                                                                                  Dec 2, 2024 18:47:59.181482077 CET49972443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.181624889 CET49972443192.168.2.713.107.246.63
                                                                                  Dec 2, 2024 18:47:59.181633949 CET4434997213.107.246.63192.168.2.7

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 2, 2024 18:46:21.150513887 CET5029153192.168.2.71.1.1.1

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 2, 2024 18:46:21.150513887 CET192.168.2.71.1.1.10x694cStandard query (0)settings-ssl.xboxlive.comA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 2, 2024 18:46:07.679258108 CET1.1.1.1192.168.2.70x3c56No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                  Dec 2, 2024 18:46:07.679258108 CET1.1.1.1192.168.2.70x3c56No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                  Dec 2, 2024 18:46:21.387346029 CET1.1.1.1192.168.2.70x694cNo error (0)settings-ssl.xboxlive.comsettings-ssl.xboxlive.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 2, 2024 18:46:23.353570938 CET1.1.1.1192.168.2.70x83eaNo error (0)ep-afd-activation-cubaf8a6apchfsg5.z01.azurefd.netstar-azurefd-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 2, 2024 18:46:23.353570938 CET1.1.1.1192.168.2.70x83eaNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 2, 2024 18:46:23.353570938 CET1.1.1.1192.168.2.70x83eaNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                  Dec 2, 2024 18:47:37.861243010 CET1.1.1.1192.168.2.70xd0f5No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                  Dec 2, 2024 18:47:37.861243010 CET1.1.1.1192.168.2.70xd0f5No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • otelrules.azureedge.net
                                                                                  • activation2.playready.microsoft.com

                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  0192.168.2.74969913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:45:59 UTC195OUTGET /rules/other-Win32-v19.bundle HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:00 UTC471INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:00 GMT
                                                                                  Content-Type: text/plain
                                                                                  Content-Length: 218853
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public
                                                                                  Last-Modified: Fri, 29 Nov 2024 23:15:49 GMT
                                                                                  ETag: "0x8DD10CBC2E3B852"
                                                                                  x-ms-request-id: 82d9e4b2-501e-007b-3a87-435ba2000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174600Z-174f7845968cdxdrhC1EWRg0en00000014n000000000ttve
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:00 UTC15913INData Raw: 31 30 30 30 76 35 2b 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 30 30 22 20 56 3d 22 35 22 20 44 43 3d 22 45 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 52 75 6c 65 45 72 72 6f 72 73 41 67 67 72 65 67 61 74 65 64 22 20 41 54 54 3d 22 66 39 39 38 63 63 35 62 61 34 64 34 34 38 64 36 61 31 65 38 65 39 31 33 66 66 31 38 62 65 39 34 2d 64 64 31 32 32 65 30 61 2d 66 63 66 38 2d 34 64 63 35 2d 39 64 62 62 2d 36 61 66 61 63 35 33 32 35 31 38 33 2d 37 34 30 35 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 53 3d 22 37 30 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 50 53 50 20 50 53 55 22 20
                                                                                  Data Ascii: 1000v5+<?xml version="1.0" encoding="utf-8"?><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU"
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 42 22 20 49 3d 22 35 22 20 4f 3d 22 66 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 30 22 20 54 3d 22 49 33 32 22 20 2f 3e 0d 0a 20
                                                                                  Data Ascii: /> </R> </O> </R> </O> </C> <C T="B" I="5" O="false"> <O T="AND"> <L> <O T="GE"> <L> <S T="1" F="0" /> </L> <R> <V V="400" T="I32" />
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 30 38 32 30 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 43 6f 6e 74 61 63 74 43 61 72 64 50 72 6f 70 65 72 74 69 65 73 43 6f 75 6e 74 73 22 20 41 54 54 3d 22 64 38 30 37 36 30 39 32 37 36 37 34 34 32 34 35 62 61 66 38 31 62 66 37 62 63 38 30 33 33 66 36 2d 32 32 36 38 65 33 37 34 2d 37 37 36 36 2d 34 39 37 36 2d 62 65 34 34 2d 62 36 61 64 35 62 64 64 63 35 62 36 2d 37 38 31 33 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 31 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 68 75 74 64 6f 77 6e 22 20 2f 3e 0d
                                                                                  Data Ascii: .0" encoding="utf-8"?><R Id="10820" V="3" DC="SM" EN="Office.Outlook.Desktop.ContactCardPropertiesCounts" ATT="d807609276744245baf81bf7bc8033f6-2268e374-7766-4976-be44-b6ad5bddc5b6-7813" DCa="PSU" xmlns=""> <S> <A T="1" E="TelemetryShutdown" />
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 39 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 50 75 72 67 65 64 5f 41 67 65 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 34 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 30 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 50 75 72 67 65 64 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 35 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 31 22 20 4f 3d 22 74 72 75 65 22 20 4e 3d 22 46 69 6c 65 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 38 22 20 46 3d 22 43 6f 75 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20
                                                                                  Data Ascii: </C> <C T="U32" I="9" O="true" N="Purged_Age"> <S T="4" F="Count" /> </C> <C T="U32" I="10" O="true" N="Purged_Count"> <S T="5" F="Count" /> </C> <C T="U32" I="11" O="true" N="File_Count"> <S T="8" F="Count" /> </C>
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 20 20 3c 53 20 54 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 5f 43 72 65 61 74 65 43 61 72 64 5f 56 61 6c 69 64 4d 61 6e 61 67 65 72 5f 46 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6f 75 6e 74 5f 43 72 65 61 74 65 52 65 73 75 6c 74 5f 56 61 6c 69 64 50 65 72 73 6f 6e 61 5f 46 61 6c 73 65 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 32 22 20 2f 3e 0d 0a 20
                                                                                  Data Ascii: <S T="10" /> </C> </C> <C T="U32" I="1" O="false" N="Count_CreateCard_ValidManager_False"> <C> <S T="11" /> </C> </C> <C T="U32" I="2" O="false" N="Count_CreateResult_ValidPersona_False"> <C> <S T="12" />
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 50 61 69 6e 74 5f 49 4d 73 6f 50 65 72 73 6f 6e 61 5f 57 61 73 4e 75 6c 6c 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 33 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 50 61 69 6e 74 5f 49 4d 73 6f 50 65 72 73 6f 6e 61 5f 4e 75 6c 6c 5f 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 33 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 32 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 43 6c 65 61 6e 75 70 4d 73 6f 50 65 72 73 6f 6e 61 5f 49 4d 73 6f 50 65 72 73 6f 6e
                                                                                  Data Ascii: Paint_IMsoPersona_WasNull_Count"> <C> <S T="32" /> </C> </C> <C T="U32" I="20" O="false" N="Paint_IMsoPersona_Null_Count"> <C> <S T="33" /> </C> </C> <C T="U32" I="21" O="false" N="CleanupMsoPersona_IMsoPerson
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 32 30 30 22 20 54 3d 22 49 36 34 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 52 65 74 72 69 65 76 61 6c 4d 69 6c 6c 69 73 65 63 6f 6e 64 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 30 22
                                                                                  Data Ascii: <R> <V V="200" T="I64" /> </R> </O> </L> <R> <O T="LT"> <L> <S T="3" F="RetrievalMilliseconds" /> </L> <R> <V V="400"
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 4f 63 6f 6d 32 49 55 43 4f 66 66 69 63 65 49 6e 74 65 67 72 61 74 69 6f 6e 46 69 72 73 74 43 61 6c 6c 53 75 63 63 65 73 73 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43 3e 0d 0a 20 20 3c 2f 43 3e 0d 0a 20 20 3c 43 20 54 3d 22 55 33 32 22 20 49 3d 22 31 22 20 4f 3d 22 66 61 6c 73 65 22 20 4e 3d 22 4f 63 6f 6d 32 49 55 43 4f 66 66 69 63 65 49 6e 74 65 67 72 61 74 69 6f 6e 46 69 72 73 74 43 61 6c 6c 46 61 69 6c 65 64 43 6f 75 6e 74 22 3e 0d 0a 20 20 20 20 3c 43 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 43
                                                                                  Data Ascii: </S> <C T="U32" I="0" O="false" N="Ocom2IUCOfficeIntegrationFirstCallSuccessCount"> <C> <S T="9" /> </C> </C> <C T="U32" I="1" O="false" N="Ocom2IUCOfficeIntegrationFirstCallFailedCount"> <C> <S T="10" /> </C
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 54 65 6e 61 6e 74 20 65 6e 61 62 6c 65 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 33 22 20 46 3d 22 55 73 65 72 20 65 6e 61 62 6c 65 64 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 66 61 6c 73 65 22 20 54 3d 22 42 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: L> <S T="3" F="Tenant enabled" /> </L> <R> <O T="EQ"> <L> <S T="3" F="User enabled" /> </L> <R> <V V="false" T="B" /> </R>
                                                                                  2024-12-02 17:46:00 UTC16384INData Raw: 75 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20 20 20 20 3c 52 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 56 20 56 3d 22 34 30 34 22 20 54 3d 22 55 33 32 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 52 3e 0d 0a 20 20 20 20 20 20 3c 2f 4f 3e 0d 0a 20 20 20 20 3c 2f 46 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 37 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 47 45 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 32 22 20 46 3d 22 48 74 74 70 53 74 61 74 75 73 22 20 2f 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 4c 3e 0d 0a 20 20 20 20 20
                                                                                  Data Ascii: us" /> </L> <R> <V V="404" T="U32" /> </R> </O> </F> <F T="7"> <O T="AND"> <L> <O T="GE"> <L> <S T="2" F="HttpStatus" /> </L>


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  1192.168.2.74970013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:02 UTC193OUTGET /rules/rule120402v21s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:03 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:03 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 3788
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:17 GMT
                                                                                  ETag: "0x8DC582BAC2126A6"
                                                                                  x-ms-request-id: 0b3277ea-501e-00a0-5e91-3f9d9f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174603Z-174f78459684bddphC1EWRbht400000014d000000000t52v
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:03 UTC3788INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 34 30 32 22 20 56 3d 22 32 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 55 6e 67 72 61 63 65 66 75 6c 41 70 70 45 78 69 74 44 65 73 6b 74 6f 70 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 43 65 6e 73 75 73 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 50 53 50 22 20 78 6d 6c 6e 73 3d 22 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120402" V="21" DC="SM" EN="Office.System.SystemHealthUngracefulAppExitDesktop" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalCensus" DL="A" DCa="PSP" xmlns=""


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  2192.168.2.74970413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:02 UTC192OUTGET /rules/rule120609v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:03 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:03 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 408
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:33 GMT
                                                                                  ETag: "0x8DC582BB56D3AFB"
                                                                                  x-ms-request-id: 44a2812f-d01e-0028-1207-427896000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174603Z-174f7845968j6t2phC1EWRcfe800000014wg00000000hdzs
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:03 UTC408INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 38 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 44 64 5d 5b 45 65 5d 5b 4c 6c 5d 5b 4c 6c 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120609" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120682" /> <SR T="2" R="^([Dd][Ee][Ll][Ll])"> <S T="1" F="0" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  3192.168.2.74970313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:02 UTC192OUTGET /rules/rule120600v4s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:03 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:03 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 2980
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:10 GMT
                                                                                  ETag: "0x8DC582BA80D96A1"
                                                                                  x-ms-request-id: 0a3cdbcf-401e-0016-597f-3f53e0000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174603Z-174f7845968cdxdrhC1EWRg0en00000014p000000000pdue
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:03 UTC2980INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 30 22 20 56 3d 22 34 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 44 65 76 69 63 65 43 6f 6e 73 6f 6c 69 64 61 74 65 64 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120600" V="4" DC="SM" EN="Office.System.SystemHealthMetadataDeviceConsolidated" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa="DC"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  4192.168.2.74970113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:02 UTC192OUTGET /rules/rule224902v2s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:03 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:03 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 450
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:25 GMT
                                                                                  ETag: "0x8DC582BD4C869AE"
                                                                                  x-ms-request-id: 22636776-e01e-0003-4fa8-420fa8000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174603Z-174f7845968qj8jrhC1EWRh41s00000014sg0000000081hs
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:03 UTC450INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 32 32 34 39 30 32 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 31 30 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 55 54 53 20 54 3d 22 32 22 20 49 64 3d 22 62 62 72 35 71 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 53 20 54 3d 22 33 22 20 47 3d 22 7b 61 33 36 61 39 37 30 64 2d 34 35 61 39 2d 34 65 30 64 2d 39 63 61 62 2d 32 61 32 33 35 63 63 39 64 37 63 36 7d 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 47 22 20 49 3d 22 30 22 20 4f 3d 22 66 61 6c 73 65 4e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="224902" V="2" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120100" /> <UTS T="2" Id="bbr5q" /> <SS T="3" G="{a36a970d-45a9-4e0d-9cab-2a235cc9d7c6}" /> </S> <C T="G" I="0" O="falseN


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  5192.168.2.74970213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:02 UTC192OUTGET /rules/rule120608v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:03 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:03 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 2160
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:03 GMT
                                                                                  ETag: "0x8DC582BA3B95D81"
                                                                                  x-ms-request-id: d2130280-a01e-006f-03c7-4313cd000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174603Z-174f7845968swgbqhC1EWRmnb400000014v000000000r87x
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:03 UTC2160INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 36 37 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 33 22 20 52 3d 22 31 32 30 36 31 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 34 22 20 52 3d 22 31 32 30 36 31 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 35 22 20 52 3d 22 31 32 30 36 31 34 22 20 2f 3e 0d 0a 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120608" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <R T="1" R="120609" /> <R T="2" R="120679" /> <R T="3" R="120610" /> <R T="4" R="120612" /> <R T="5" R="120614" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  6192.168.2.74970513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:05 UTC192OUTGET /rules/rule120610v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:05 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:05 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 474
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:46 GMT
                                                                                  ETag: "0x8DC582B9964B277"
                                                                                  x-ms-request-id: 8ccd6c39-f01e-0085-6e81-3f88ea000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174605Z-174f7845968kvnqxhC1EWRmf3g0000000re000000000wa6a
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:05 UTC474INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120610" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120609" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  7192.168.2.74970813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:05 UTC192OUTGET /rules/rule120613v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:05 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:05 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 632
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT
                                                                                  ETag: "0x8DC582BB6E3779E"
                                                                                  x-ms-request-id: f20189e0-201e-005d-0f7c-43afb3000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174605Z-174f7845968pght8hC1EWRyvxg00000007ug00000000qnqd
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:05 UTC632INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 48 68 5d 5b 50 70 5d 28 5b 5e 45 5d 7c 24 29 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 33 22 20 52 3d 22 28 5b 48 68 5d 5b 45 65 5d 5b 57 77 5d 5b 4c 6c 5d 5b 45 65 5d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120613" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120611" /> <SR T="2" R="^([Hh][Pp]([^E]|$))"> <S T="1" F="1" M="Ignore" /> </SR> <SR T="3" R="([Hh][Ee][Ww][Ll][Ee]


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  8192.168.2.74970613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:05 UTC192OUTGET /rules/rule120611v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:05 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:05 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 415
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:56 GMT
                                                                                  ETag: "0x8DC582B9F6F3512"
                                                                                  x-ms-request-id: f5d49257-301e-005d-758c-3fe448000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174605Z-174f7845968jrjrxhC1EWRmmrs00000014z00000000057ca
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:05 UTC415INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4c 6c 5d 5b 45 65 5d 5b 4e 6e 5d 5b 4f 6f 5d 5b 56 76 5d 5b 4f 6f 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120611" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120609" /> <SR T="2" R="([Ll][Ee][Nn][Oo][Vv][Oo])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  9192.168.2.74970913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:05 UTC192OUTGET /rules/rule120614v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:05 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:05 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 467
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:08 GMT
                                                                                  ETag: "0x8DC582BA6C038BC"
                                                                                  x-ms-request-id: 5e64b7e0-d01e-0049-7eb8-42e7dc000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174605Z-174f78459685m244hC1EWRgp2c00000014g000000000t0rn
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:05 UTC467INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120614" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120613" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  10192.168.2.74970713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:05 UTC192OUTGET /rules/rule120612v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:05 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:05 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 471
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:25 GMT
                                                                                  ETag: "0x8DC582BB10C598B"
                                                                                  x-ms-request-id: 30944020-a01e-0053-5e8b-3f8603000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174605Z-174f7845968px8v7hC1EWR08ng000000152g000000005sxm
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:05 UTC471INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120612" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120611" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  11192.168.2.74971313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:07 UTC192OUTGET /rules/rule120615v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:07 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 407
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:42 GMT
                                                                                  ETag: "0x8DC582BBAD04B7B"
                                                                                  x-ms-request-id: 12c713eb-c01e-0034-6a92-432af6000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174607Z-174f7845968pght8hC1EWRyvxg0000000800000000002588
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:07 UTC407INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 53 73 5d 5b 55 75 5d 5b 53 73 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120615" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120613" /> <SR T="2" R="([Aa][Ss][Uu][Ss])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  12192.168.2.74971213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:07 UTC192OUTGET /rules/rule120616v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:07 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 486
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:29 GMT
                                                                                  ETag: "0x8DC582BB344914B"
                                                                                  x-ms-request-id: 79414491-c01e-0014-1360-43a6a3000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174607Z-174f7845968psccphC1EWRuz9s00000014yg00000000ncbw
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:07 UTC486INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120616" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120615" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  13192.168.2.74971413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:07 UTC192OUTGET /rules/rule120617v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:07 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 427
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:02 GMT
                                                                                  ETag: "0x8DC582BA310DA18"
                                                                                  x-ms-request-id: c665a67d-901e-002a-1b91-3f7a27000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174607Z-174f7845968pf68xhC1EWRr4h800000014zg00000000h2cz
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:07 UTC427INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4d 6d 5d 5b 49 69 5d 5b 43 63 5d 5b 52 72 5d 5b 4f 6f 5d 5b 53 73 5d 5b 4f 6f 5d 5b 46 66 5d 5b 54 74 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120617" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120615" /> <SR T="2" R="([Mm][Ii][Cc][Rr][Oo][Ss][Oo][Ff][Tt])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  14192.168.2.74971513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:07 UTC192OUTGET /rules/rule120618v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:08 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 486
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:30 GMT
                                                                                  ETag: "0x8DC582B9018290B"
                                                                                  x-ms-request-id: dc0e488f-901e-005b-3891-3f2005000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174607Z-174f7845968kvnqxhC1EWRmf3g0000000rn00000000070r4
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:08 UTC486INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120618" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120617" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  15192.168.2.74971613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:07 UTC192OUTGET /rules/rule120619v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:08 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 407
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:41 GMT
                                                                                  ETag: "0x8DC582B9698189B"
                                                                                  x-ms-request-id: 9f28f116-c01e-008d-51c7-432eec000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174607Z-174f7845968j6t2phC1EWRcfe800000014ug00000000u6cn
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:08 UTC407INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 31 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 43 63 5d 5b 45 65 5d 5b 52 72 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120619" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120617" /> <SR T="2" R="([Aa][Cc][Ee][Rr])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  16192.168.2.74971913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:09 UTC192OUTGET /rules/rule120621v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:10 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:09 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 415
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:03 GMT
                                                                                  ETag: "0x8DC582BA41997E3"
                                                                                  x-ms-request-id: 6ab56c84-d01e-008e-48c7-43387a000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174609Z-174f7845968cdxdrhC1EWRg0en00000014sg000000008d7e
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:10 UTC415INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 56 76 5d 5b 4d 6d 5d 5b 57 77 5d 5b 41 61 5d 5b 52 72 5d 5b 45 65 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120621" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120619" /> <SR T="2" R="([Vv][Mm][Ww][Aa][Rr][Ee])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  17192.168.2.74972013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:09 UTC192OUTGET /rules/rule120622v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:10 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:09 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 477
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:38 GMT
                                                                                  ETag: "0x8DC582BB8CEAC16"
                                                                                  x-ms-request-id: e9babc56-001e-0049-5291-3f5bd5000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174609Z-174f7845968px8v7hC1EWR08ng000000153g000000002gpm
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:10 UTC477INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120622" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120621" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  18192.168.2.74971813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:09 UTC192OUTGET /rules/rule120620v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:10 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:09 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 469
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:41 GMT
                                                                                  ETag: "0x8DC582BBA701121"
                                                                                  x-ms-request-id: 417b6c53-401e-0029-0d91-3f9b43000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174609Z-174f7845968kdththC1EWRzvxn0000000gzg00000000xhwb
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:10 UTC469INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 31 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120620" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120619" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  19192.168.2.74972213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:09 UTC192OUTGET /rules/rule120624v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:10 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:10 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 494
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT
                                                                                  ETag: "0x8DC582BB7010D66"
                                                                                  x-ms-request-id: 3fc8b732-401e-0083-1091-3f075c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174610Z-174f7845968kvnqxhC1EWRmf3g0000000rn00000000070uk
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:10 UTC494INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120624" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120623" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  20192.168.2.74972113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:09 UTC192OUTGET /rules/rule120623v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:10 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:10 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 464
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:43 GMT
                                                                                  ETag: "0x8DC582B97FB6C3C"
                                                                                  x-ms-request-id: a99e6065-701e-006f-4d91-3fafc4000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174610Z-174f7845968swgbqhC1EWRmnb400000014u000000000u620
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:10 UTC464INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 47 67 5d 5b 49 69 5d 5b 47 67 5d 5b 41 61 5d 5b 42 62 5d 5b 59 79 5d 5b 54 74 5d 5b 45 65 5d 20 5b 54 74 5d 5b 45 65 5d 5b 43 63 5d 5b 48 68 5d 5b 4e 6e 5d 5b 4f 6f 5d 5b 4c 6c 5d 5b 4f 6f 5d 5b 47 67 5d 5b 59 79 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120623" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120621" /> <SR T="2" R="([Gg][Ii][Gg][Aa][Bb][Yy][Tt][Ee] [Tt][Ee][Cc][Hh][Nn][Oo][Ll][Oo][Gg][Yy])"> <S T="1" F="1" M="Ignor


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  21192.168.2.74972713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:12 UTC192OUTGET /rules/rule120626v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:12 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:12 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 472
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:53 GMT
                                                                                  ETag: "0x8DC582B9DACDF62"
                                                                                  x-ms-request-id: 264c510b-001e-000b-0eb2-4215a7000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174612Z-174f7845968jrjrxhC1EWRmmrs00000014t000000000utdk
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:12 UTC472INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120626" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120625" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  22192.168.2.74972513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:12 UTC192OUTGET /rules/rule120625v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:12 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:12 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 419
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:42 GMT
                                                                                  ETag: "0x8DC582B9748630E"
                                                                                  x-ms-request-id: e044a7be-f01e-003c-0c76-438cf0000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174612Z-174f7845968pf68xhC1EWRr4h800000014wg00000000vwxh
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:12 UTC419INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 46 66 5d 5b 55 75 5d 5b 4a 6a 5d 5b 49 69 5d 5b 54 74 5d 5b 53 73 5d 5b 55 75 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120625" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120623" /> <SR T="2" R="([Ff][Uu][Jj][Ii][Tt][Ss][Uu])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  23192.168.2.74972613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:12 UTC192OUTGET /rules/rule120627v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:12 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:12 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 404
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:54 GMT
                                                                                  ETag: "0x8DC582B9E8EE0F3"
                                                                                  x-ms-request-id: 4ee01645-001e-0017-38b5-420c3c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174612Z-174f7845968zgtf6hC1EWRqd8s0000000xug0000000002m2
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:12 UTC404INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 4e 6e 5d 5b 45 65 5d 5b 43 63 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c 53
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120627" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120625" /> <SR T="2" R="^([Nn][Ee][Cc])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <S


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  24192.168.2.74972813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:12 UTC192OUTGET /rules/rule120628v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:12 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:12 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 468
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:51 GMT
                                                                                  ETag: "0x8DC582B9C8E04C8"
                                                                                  x-ms-request-id: 5181e575-b01e-001e-206f-430214000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174612Z-174f7845968cpnpfhC1EWR3afc00000014c000000000embr
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:12 UTC468INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120628" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120627" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  25192.168.2.74972913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:12 UTC192OUTGET /rules/rule120629v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:12 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:12 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 428
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:17 GMT
                                                                                  ETag: "0x8DC582BAC4F34CA"
                                                                                  x-ms-request-id: b254496e-901e-0016-2991-3fefe9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174612Z-174f7845968xr5c2hC1EWRd0hn0000000pg000000000u042
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:12 UTC428INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 32 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4d 6d 5d 5b 49 69 5d 5b 43 63 5d 5b 52 72 5d 5b 4f 6f 5d 2d 5b 53 73 5d 5b 54 74 5d 5b 41 61 5d 5b 52 72 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120629" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120627" /> <SR T="2" R="([Mm][Ii][Cc][Rr][Oo]-[Ss][Tt][Aa][Rr])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  26192.168.2.74973213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:14 UTC192OUTGET /rules/rule120630v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:14 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:14 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 499
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:45 GMT
                                                                                  ETag: "0x8DC582B98CEC9F6"
                                                                                  x-ms-request-id: f843b097-901e-00ac-53c3-43b69e000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174614Z-174f7845968cpnpfhC1EWR3afc000000149000000000t4h4
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:14 UTC499INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120630" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120629" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  27192.168.2.74973313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:14 UTC192OUTGET /rules/rule120632v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:14 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:14 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 471
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:33 GMT
                                                                                  ETag: "0x8DC582BB5815C4C"
                                                                                  x-ms-request-id: 6c824192-201e-0051-0a91-3f7340000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174614Z-174f7845968kvnqxhC1EWRmf3g0000000rn000000000713x
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:14 UTC471INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120632" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120631" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  28192.168.2.74973513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:14 UTC192OUTGET /rules/rule120633v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:14 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:14 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 419
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:29 GMT
                                                                                  ETag: "0x8DC582BB32BB5CB"
                                                                                  x-ms-request-id: 305613e8-a01e-006f-5c3c-4113cd000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174614Z-174f7845968pght8hC1EWRyvxg00000007zg000000003rtt
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:14 UTC419INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 53 73 5d 5b 41 61 5d 5b 4d 6d 5d 5b 53 73 5d 5b 55 75 5d 5b 4e 6e 5d 5b 47 67 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120633" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120631" /> <SR T="2" R="([Ss][Aa][Mm][Ss][Uu][Nn][Gg])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  29192.168.2.74973413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:14 UTC192OUTGET /rules/rule120631v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:14 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:14 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 415
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT
                                                                                  ETag: "0x8DC582B988EBD12"
                                                                                  x-ms-request-id: 5aec2b48-201e-0085-7d6b-4334e3000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174614Z-174f7845968qj8jrhC1EWRh41s00000014mg00000000sn5w
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:14 UTC415INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 32 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 48 68 5d 5b 55 75 5d 5b 41 61 5d 5b 57 77 5d 5b 45 65 5d 5b 49 69 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120631" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120629" /> <SR T="2" R="([Hh][Uu][Aa][Ww][Ee][Ii])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  30192.168.2.74973613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:14 UTC192OUTGET /rules/rule120634v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:14 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:14 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 494
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:38 GMT
                                                                                  ETag: "0x8DC582BB8972972"
                                                                                  x-ms-request-id: a230c581-101e-0034-3128-4096ff000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174614Z-174f7845968glpgnhC1EWR7uec00000014vg00000000pvza
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:14 UTC494INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120634" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120633" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  31192.168.2.74973813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:16 UTC192OUTGET /rules/rule120635v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:16 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:16 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 420
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:53 GMT
                                                                                  ETag: "0x8DC582B9DAE3EC0"
                                                                                  x-ms-request-id: d3507608-601e-003d-4b91-3f6f25000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174616Z-174f78459688l8rvhC1EWRtzr00000000h9000000000rh0p
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:16 UTC420INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 54 74 5d 5b 4f 6f 5d 5b 53 73 5d 5b 48 68 5d 5b 49 69 5d 5b 42 62 5d 5b 41 61 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120635" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120633" /> <SR T="2" R="^([Tt][Oo][Ss][Hh][Ii][Bb][Aa])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  32192.168.2.74974013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:16 UTC192OUTGET /rules/rule120637v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:17 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:16 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 427
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:12 GMT
                                                                                  ETag: "0x8DC582BA909FA21"
                                                                                  x-ms-request-id: 5810d2d2-301e-0000-6891-3feecc000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174616Z-174f78459688l8rvhC1EWRtzr00000000h8000000000uz7v
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:17 UTC427INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 50 70 5d 5b 41 61 5d 5b 4e 6e 5d 5b 41 61 5d 5b 53 73 5d 5b 4f 6f 5d 5b 4e 6e 5d 5b 49 69 5d 5b 43 63 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120637" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120635" /> <SR T="2" R="([Pp][Aa][Nn][Aa][Ss][Oo][Nn][Ii][Cc])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  33192.168.2.74973913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:16 UTC192OUTGET /rules/rule120636v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:17 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:16 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 472
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:52 GMT
                                                                                  ETag: "0x8DC582B9D43097E"
                                                                                  x-ms-request-id: f2f6d8ae-201e-0096-414e-41ace6000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174616Z-174f7845968glpgnhC1EWR7uec000000150g000000001m0c
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:17 UTC472INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120636" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120635" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  34192.168.2.74974213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:16 UTC192OUTGET /rules/rule120639v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:17 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:17 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 423
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:36 GMT
                                                                                  ETag: "0x8DC582BB7564CE8"
                                                                                  x-ms-request-id: 3b8b6251-d01e-0049-3c33-44e7dc000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174617Z-174f7845968psccphC1EWRuz9s000000150000000000futx
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:17 UTC423INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 44 64 5d 5b 59 79 5d 5b 4e 6e 5d 5b 41 61 5d 5b 42 62 5d 5b 4f 6f 5d 5b 4f 6f 5d 5b 4b 6b 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120639" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120637" /> <SR T="2" R="([Dd][Yy][Nn][Aa][Bb][Oo][Oo][Kk])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  35192.168.2.74974113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:16 UTC192OUTGET /rules/rule120638v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:17 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:17 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 486
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:35 GMT
                                                                                  ETag: "0x8DC582B92FCB436"
                                                                                  x-ms-request-id: 716ae074-c01e-0046-576f-432db9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174617Z-174f7845968xr5c2hC1EWRd0hn0000000pr00000000016yh
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:17 UTC486INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 33 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120638" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120637" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  36192.168.2.74974413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:18 UTC192OUTGET /rules/rule120640v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:19 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:18 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 478
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:48 GMT
                                                                                  ETag: "0x8DC582B9B233827"
                                                                                  x-ms-request-id: ef6d0e99-401e-0067-3dc7-4309c2000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174618Z-174f78459685726chC1EWRsnbg00000014tg00000000g2zp
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:19 UTC478INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120640" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120639" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  37192.168.2.74974513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:18 UTC192OUTGET /rules/rule120641v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:19 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:19 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 404
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:39 GMT
                                                                                  ETag: "0x8DC582B95C61A3C"
                                                                                  x-ms-request-id: 13e6cbbb-001e-005a-04a3-43c3d0000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174619Z-174f7845968swgbqhC1EWRmnb400000014yg000000009b8e
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:19 UTC404INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 33 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 4d 6d 5d 5b 53 73 5d 5b 49 69 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c 53
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120641" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120639" /> <SR T="2" R="^([Mm][Ss][Ii])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <S


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  38192.168.2.74974613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:19 UTC192OUTGET /rules/rule120642v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:19 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:19 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 468
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:24 GMT
                                                                                  ETag: "0x8DC582BB046B576"
                                                                                  x-ms-request-id: cdcb5222-c01e-0014-44bd-42a6a3000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174619Z-174f7845968zgtf6hC1EWRqd8s0000000xmg00000000vab5
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:19 UTC468INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120642" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120641" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  39192.168.2.74974813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:19 UTC192OUTGET /rules/rule120644v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:19 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:19 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 479
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:37 GMT
                                                                                  ETag: "0x8DC582BB7D702D0"
                                                                                  x-ms-request-id: 6644a72f-f01e-001f-6d66-435dc8000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174619Z-174f7845968ljs8phC1EWRe6en00000014g000000000w3yv
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:19 UTC479INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120644" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120643" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  40192.168.2.74974713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:19 UTC192OUTGET /rules/rule120643v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:19 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:19 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 400
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:28 GMT
                                                                                  ETag: "0x8DC582BB2D62837"
                                                                                  x-ms-request-id: 203bed18-201e-006e-51a9-42bbe3000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174619Z-174f7845968frfdmhC1EWRxxbw00000014s000000000nrqd
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:19 UTC400INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 4c 6c 5d 5b 47 67 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120643" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120641" /> <SR T="2" R="^([Ll][Gg])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <S T="


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  41192.168.2.74975013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:20 UTC192OUTGET /rules/rule120645v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:21 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:21 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 425
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:40 GMT
                                                                                  ETag: "0x8DC582BBA25094F"
                                                                                  x-ms-request-id: cb9203b6-501e-0029-2691-3fd0b8000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174621Z-174f7845968cdxdrhC1EWRg0en00000014qg00000000gfqv
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:21 UTC425INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 4d 6d 5d 5b 41 61 5d 5b 5a 7a 5d 5b 4f 6f 5d 5b 4e 6e 5d 20 5b 45 65 5d 5b 43 63 5d 32 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120645" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120643" /> <SR T="2" R="([Aa][Mm][Aa][Zz][Oo][Nn] [Ee][Cc]2)"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  42192.168.2.74975113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:21 UTC192OUTGET /rules/rule120646v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:21 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:21 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 475
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:28 GMT
                                                                                  ETag: "0x8DC582BB2BE84FD"
                                                                                  x-ms-request-id: fac49ef3-501e-008f-0a91-3f9054000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174621Z-174f78459688l8rvhC1EWRtzr00000000h8000000000uzgx
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:21 UTC475INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120646" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120645" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  43192.168.2.74975213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:21 UTC192OUTGET /rules/rule120647v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:21 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:21 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 448
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:29 GMT
                                                                                  ETag: "0x8DC582BB389F49B"
                                                                                  x-ms-request-id: 07e13988-c01e-0049-0444-44ac27000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174621Z-174f784596886s2bhC1EWR743w00000014s000000000mn09
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:21 UTC448INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 41 61 5d 5b 50 70 5d 5b 41 61 5d 5b 43 63 5d 5b 48 68 5d 5b 45 65 5d 20 5b 53 73 5d 5b 4f 6f 5d 5b 46 66 5d 5b 54 74 5d 5b 57 77 5d 5b 41 61 5d 5b 52 72 5d 5b 45 65 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120647" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120645" /> <SR T="2" R="([Aa][Pp][Aa][Cc][Hh][Ee] [Ss][Oo][Ff][Tt][Ww][Aa][Rr][Ee])"> <S T="1" F="1" M="Ignore" /> </SR>


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  44192.168.2.74975413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:21 UTC192OUTGET /rules/rule120649v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:21 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:21 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 416
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:21 GMT
                                                                                  ETag: "0x8DC582BAEA4B445"
                                                                                  x-ms-request-id: 6da3e3c6-601e-0084-52b4-426b3f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174621Z-174f7845968kdththC1EWRzvxn0000000h5g000000007btd
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:21 UTC416INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 46 66 5d 5b 45 65 5d 5b 44 64 5d 5b 4f 6f 5d 5b 52 72 5d 5b 41 61 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120649" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120647" /> <SR T="2" R="^([Ff][Ee][Dd][Oo][Rr][Aa])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tr


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  45192.168.2.74975313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:21 UTC192OUTGET /rules/rule120648v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:21 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:21 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 491
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT
                                                                                  ETag: "0x8DC582B98B88612"
                                                                                  x-ms-request-id: 21da0aac-a01e-0021-7d18-43814c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174621Z-174f7845968nxc96hC1EWRspw800000014d000000000sxty
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:21 UTC491INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 34 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120648" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120647" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  46192.168.2.74975613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:23 UTC192OUTGET /rules/rule120650v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:23 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:23 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 479
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT
                                                                                  ETag: "0x8DC582B989EE75B"
                                                                                  x-ms-request-id: 59a03737-a01e-00ab-1891-3f9106000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174623Z-174f7845968nxc96hC1EWRspw800000014h000000000akrx
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:23 UTC479INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120650" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120649" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  47192.168.2.74976013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:23 UTC192OUTGET /rules/rule120652v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:24 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:23 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 471
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:43 GMT
                                                                                  ETag: "0x8DC582B97E6FCDD"
                                                                                  x-ms-request-id: 4c860516-801e-00a3-3252-437cfb000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174623Z-174f78459684bddphC1EWRbht400000014eg00000000m75b
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:24 UTC471INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120652" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120651" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  48192.168.2.74976113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:23 UTC192OUTGET /rules/rule120653v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:24 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:23 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 419
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:51 GMT
                                                                                  ETag: "0x8DC582B9C710B28"
                                                                                  x-ms-request-id: 4e964251-301e-000c-42c4-42323f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174623Z-174f7845968glpgnhC1EWR7uec0000001500000000003a71
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:24 UTC419INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 49 69 5d 5b 4e 6e 5d 5b 4e 6e 5d 5b 4f 6f 5d 5b 54 74 5d 5b 45 65 5d 5b 4b 6b 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120653" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120651" /> <SR T="2" R="([Ii][Nn][Nn][Oo][Tt][Ee][Kk])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  49192.168.2.74975913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:23 UTC192OUTGET /rules/rule120651v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:24 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:23 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 415
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:10 GMT
                                                                                  ETag: "0x8DC582BA80D96A1"
                                                                                  x-ms-request-id: b24172ee-901e-0016-3789-3fefe9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174623Z-174f78459688l8rvhC1EWRtzr00000000ha000000000p4ee
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:24 UTC415INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 34 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 47 67 5d 5b 4f 6f 5d 5b 4f 6f 5d 5b 47 67 5d 5b 4c 6c 5d 5b 45 65 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120651" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120649" /> <SR T="2" R="([Gg][Oo][Oo][Gg][Ll][Ee])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tru


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  50192.168.2.74976213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:23 UTC192OUTGET /rules/rule120654v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:24 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:23 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 477
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:05 GMT
                                                                                  ETag: "0x8DC582BA54DCC28"
                                                                                  x-ms-request-id: 7af319f3-d01e-0017-6a91-3fb035000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174623Z-174f78459688l8rvhC1EWRtzr00000000he0000000003w8p
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:24 UTC477INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120654" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120653" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  51192.168.2.74976413.107.246.634432024C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:25 UTC200OUTGET /PlayReady/ACT/Activation.asmx?WSDL&Client=Win10&LinkId=613387 HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept: */*
                                                                                  User-Agent: Microsoft-PlayReady-DRM/1.0
                                                                                  Host: activation2.playready.microsoft.com
                                                                                  2024-12-02 17:46:25 UTC466INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:25 GMT
                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                  Content-Length: 6250
                                                                                  Connection: close
                                                                                  Cache-Control: private, max-age=0
                                                                                  X-AspNet-Version: 4.0.30319
                                                                                  Request-Context: appId=cid-v1:79cef274-7303-4874-9131-e08bd3e00d78
                                                                                  Access-Control-Expose-Headers: Request-Context
                                                                                  X-Powered-By: ASP.NET
                                                                                  x-azure-ref: 20241202T174625Z-174f7845968kvnqxhC1EWRmf3g0000000rkg00000000burw
                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:25 UTC6250INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 77 73 64 6c 3a 64 65 66 69 6e 69 74 69 6f 6e 73 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 31 32 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 77 73 64 6c 2f 73 6f 61 70 31 32 2f 22 20 78 6d 6c 6e 73 3a 68 74 74 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 77 73 64 6c 2f 68 74 74 70 2f 22 20 78 6d 6c 6e 73 3a 6d 69 6d 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 77 73 64 6c 2f 6d 69 6d 65
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><wsdl:definitions xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  52192.168.2.74976513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:25 UTC192OUTGET /rules/rule120655v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:25 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:25 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 419
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:37 GMT
                                                                                  ETag: "0x8DC582BB7F164C3"
                                                                                  x-ms-request-id: dd02da03-701e-001e-0d91-3ff5e6000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174625Z-174f7845968cdxdrhC1EWRg0en00000014qg00000000gfzy
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:25 UTC419INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4e 6e 5d 5b 49 69 5d 5b 4d 6d 5d 5b 42 62 5d 5b 4f 6f 5d 5b 58 78 5d 5b 58 78 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120655" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120653" /> <SR T="2" R="([Nn][Ii][Mm][Bb][Oo][Xx][Xx])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  53192.168.2.74976813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:25 UTC192OUTGET /rules/rule120658v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:26 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:26 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 472
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:34 GMT
                                                                                  ETag: "0x8DC582BB650C2EC"
                                                                                  x-ms-request-id: fcd7fe31-301e-0033-0c91-3ffa9c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174626Z-174f78459688l8rvhC1EWRtzr00000000h8g00000000t2rx
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:26 UTC472INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120658" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120657" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  54192.168.2.74976613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:25 UTC192OUTGET /rules/rule120656v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:26 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:26 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 477
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:04 GMT
                                                                                  ETag: "0x8DC582BA48B5BDD"
                                                                                  x-ms-request-id: b1291b2a-001e-0028-31ae-43c49f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174626Z-174f7845968frfdmhC1EWRxxbw00000014t000000000hfqd
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:26 UTC477INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120656" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120655" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  55192.168.2.74976713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:25 UTC192OUTGET /rules/rule120657v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:26 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:26 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 419
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:57 GMT
                                                                                  ETag: "0x8DC582B9FF95F80"
                                                                                  x-ms-request-id: 27481374-801e-0078-46b4-42bac6000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174626Z-174f7845968j6t2phC1EWRcfe800000014z0000000007tek
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:26 UTC419INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4e 6e 5d 5b 55 75 5d 5b 54 74 5d 5b 41 61 5d 5b 4e 6e 5d 5b 49 69 5d 5b 58 78 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120657" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120655" /> <SR T="2" R="([Nn][Uu][Tt][Aa][Nn][Ii][Xx])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  56192.168.2.74976913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:26 UTC192OUTGET /rules/rule120659v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:26 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:26 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 468
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:30 GMT
                                                                                  ETag: "0x8DC582BB3EAF226"
                                                                                  x-ms-request-id: 67222812-801e-00a0-09a9-422196000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174626Z-174f7845968n2hr8hC1EWR9cag00000014fg0000000047y7
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:26 UTC468INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 35 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4f 6f 5d 5b 50 70 5d 5b 45 65 5d 5b 4e 6e 5d 5b 53 73 5d 5b 54 74 5d 5b 41 61 5d 5b 43 63 5d 5b 4b 6b 5d 20 5b 46 66 5d 5b 4f 6f 5d 5b 55 75 5d 5b 4e 6e 5d 5b 44 64 5d 5b 41 61 5d 5b 54 74 5d 5b 49 69 5d 5b 4f 6f 5d 5b 4e 6e 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120659" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120657" /> <SR T="2" R="([Oo][Pp][Ee][Nn][Ss][Tt][Aa][Cc][Kk] [Ff][Oo][Uu][Nn][Dd][Aa][Tt][Ii][Oo][Nn])"> <S T="1" F="1" M="I


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  57192.168.2.74977113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:27 UTC192OUTGET /rules/rule120660v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:28 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:28 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 485
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:39 GMT
                                                                                  ETag: "0x8DC582BB9769355"
                                                                                  x-ms-request-id: e579458c-401e-0064-1dbd-4254af000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174628Z-174f78459684bddphC1EWRbht400000014eg00000000m7hz
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:28 UTC485INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120660" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120659" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  58192.168.2.74977213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:28 UTC192OUTGET /rules/rule120661v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:28 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:28 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 411
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT
                                                                                  ETag: "0x8DC582B989AF051"
                                                                                  x-ms-request-id: 4d2a6959-e01e-0085-41b2-42c311000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174628Z-174f7845968zgtf6hC1EWRqd8s0000000xqg00000000fgh9
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:28 UTC411INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 35 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 4f 6f 5d 5b 56 76 5d 5b 49 69 5d 5b 52 72 5d 5b 54 74 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120661" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120659" /> <SR T="2" R="([Oo][Vv][Ii][Rr][Tt])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  59192.168.2.74977313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:28 UTC192OUTGET /rules/rule120662v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:28 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:28 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 470
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:42 GMT
                                                                                  ETag: "0x8DC582BBB181F65"
                                                                                  x-ms-request-id: 6d321ea9-801e-007b-3924-42e7ab000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174628Z-174f7845968kdththC1EWRzvxn0000000h1000000000rkt4
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:28 UTC470INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120662" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120661" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  60192.168.2.74977513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:28 UTC192OUTGET /rules/rule120663v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:28 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:28 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 427
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:32 GMT
                                                                                  ETag: "0x8DC582BB556A907"
                                                                                  x-ms-request-id: d6e812ca-001e-008d-1b5a-40d91e000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174628Z-174f7845968nxc96hC1EWRspw800000014k0000000007d92
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:28 UTC427INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 50 70 5d 5b 41 61 5d 5b 52 72 5d 5b 41 61 5d 5b 4c 6c 5d 5b 4c 6c 5d 5b 45 65 5d 5b 4c 6c 5d 5b 53 73 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120663" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120661" /> <SR T="2" R="([Pp][Aa][Rr][Aa][Ll][Ll][Ee][Ll][Ss])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  61192.168.2.74977613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:28 UTC192OUTGET /rules/rule120664v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:28 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:28 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 502
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:35 GMT
                                                                                  ETag: "0x8DC582BB6A0D312"
                                                                                  x-ms-request-id: 63854d8c-901e-007b-2581-3fac50000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174628Z-174f7845968kvnqxhC1EWRmf3g0000000rhg00000000fmav
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:28 UTC502INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120664" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120663" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  62192.168.2.74977413.107.246.634432024C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:29 UTC595OUTPOST /PlayReady/ACT/Activation.asmx HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                  Accept: */*
                                                                                  User-Agent: Microsoft-PlayReady-DRM/1.0
                                                                                  x-playready-info: OSVersion=10.0; ClientDllVersion=Windows.Media.Protection.PlayReady.dll/10.0.19041.2006 (WinBuild.160101.0800); Session=eacca7c5a6bc682cdfeca64c426a7eaf; StoreAppID=Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo;
                                                                                  X-XblCorrelationId: 4891803609030095488
                                                                                  SOAPAction: "http://schemas.microsoft.com/PlayReady/ActivationService/v1/Activate"
                                                                                  Content-Length: 3580
                                                                                  Host: activation2.playready.microsoft.com
                                                                                  2024-12-02 17:46:29 UTC3580OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 63 74 69 76 61 74 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Activate xmlns="http://schemas.micro
                                                                                  2024-12-02 17:46:29 UTC466INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:29 GMT
                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                  Content-Length: 7264
                                                                                  Connection: close
                                                                                  Cache-Control: private, max-age=0
                                                                                  X-AspNet-Version: 4.0.30319
                                                                                  Request-Context: appId=cid-v1:79cef274-7303-4874-9131-e08bd3e00d78
                                                                                  Access-Control-Expose-Headers: Request-Context
                                                                                  X-Powered-By: ASP.NET
                                                                                  x-azure-ref: 20241202T174629Z-174f7845968ljs8phC1EWRe6en00000014fg00000000xn4g
                                                                                  X-Cache: CONFIG_NOCACHE
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:29 UTC7264INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 63 74 69 76 61 74 65 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ActivateResponse xmlns="http://schem


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  63192.168.2.74977813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:30 UTC192OUTGET /rules/rule120665v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:30 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:30 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 407
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:52 GMT
                                                                                  ETag: "0x8DC582B9D30478D"
                                                                                  x-ms-request-id: 14d8e695-801e-008c-6b91-3f7130000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174630Z-174f7845968ljs8phC1EWRe6en00000014r0000000000w2r
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:30 UTC407INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 50 70 5d 5b 53 73 5d 5b 53 73 5d 5b 43 63 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120665" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120663" /> <SR T="2" R="([Pp][Ss][Ss][Cc])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  64192.168.2.74978113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:30 UTC192OUTGET /rules/rule120668v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:30 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:30 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 469
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:30 GMT
                                                                                  ETag: "0x8DC582BB3CAEBB8"
                                                                                  x-ms-request-id: d3508ca6-601e-003d-4e91-3f6f25000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174630Z-174f7845968nxc96hC1EWRspw800000014e000000000qae1
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:30 UTC469INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120668" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120667" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  65192.168.2.74977913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:30 UTC192OUTGET /rules/rule120666v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:30 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:30 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 474
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:30 GMT
                                                                                  ETag: "0x8DC582BB3F48DAE"
                                                                                  x-ms-request-id: 1fbe2e95-401e-0083-4bb4-43075c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174630Z-174f7845968qj8jrhC1EWRh41s00000014ng00000000npud
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:30 UTC474INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120666" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120665" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  66192.168.2.74978013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:30 UTC192OUTGET /rules/rule120667v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:30 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:30 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 408
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:40 GMT
                                                                                  ETag: "0x8DC582BB9B6040B"
                                                                                  x-ms-request-id: dcd7ccea-901e-005b-7bbf-432005000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174630Z-174f7845968glpgnhC1EWR7uec00000014v000000000rmwz
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:30 UTC408INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 51 71 5d 5b 45 65 5d 5b 4d 6d 5d 5b 55 75 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120667" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120665" /> <SR T="2" R="^([Qq][Ee][Mm][Uu])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  67192.168.2.74978213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:30 UTC192OUTGET /rules/rule120669v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:30 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:30 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 416
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:32 GMT
                                                                                  ETag: "0x8DC582BB5284CCE"
                                                                                  x-ms-request-id: 8b39e191-d01e-0065-5191-3fb77a000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174630Z-174f78459688l8rvhC1EWRtzr00000000hf0000000000bbs
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:30 UTC416INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 36 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 52 72 5d 5b 45 65 5d 5b 44 64 5d 20 5b 48 68 5d 5b 41 61 5d 5b 54 74 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120669" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120667" /> <SR T="2" R="([Rr][Ee][Dd] [Hh][Aa][Tt])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="tr


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  68192.168.2.74978313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:32 UTC192OUTGET /rules/rule120670v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:32 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:32 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 472
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:33 GMT
                                                                                  ETag: "0x8DC582B91EAD002"
                                                                                  x-ms-request-id: 1e6e7a31-701e-0098-6aa5-43395f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174632Z-174f7845968n2hr8hC1EWR9cag00000014gg0000000003ab
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:32 UTC472INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120670" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120669" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  69192.168.2.74978413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:32 UTC192OUTGET /rules/rule120671v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:32 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:32 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 432
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:15 GMT
                                                                                  ETag: "0x8DC582BAABA2A10"
                                                                                  x-ms-request-id: 657660fb-a01e-00ab-52ac-439106000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174632Z-174f7845968vqt9xhC1EWRgten00000014tg00000000f3zn
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:32 UTC432INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 36 39 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 5e 28 5b 53 73 5d 5b 55 75 5d 5b 50 70 5d 5b 45 65 5d 5b 52 72 5d 5b 4d 6d 5d 5b 49 69 5d 5b 43 63 5d 5b 52 72 5d 5b 4f 6f 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120671" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120669" /> <SR T="2" R="^([Ss][Uu][Pp][Ee][Rr][Mm][Ii][Cc][Rr][Oo])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  70192.168.2.74978513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:32 UTC192OUTGET /rules/rule120672v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:33 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:32 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 475
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:41 GMT
                                                                                  ETag: "0x8DC582BBA740822"
                                                                                  x-ms-request-id: a0ab9ddc-d01e-00ad-54a3-43e942000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174632Z-174f7845968nxc96hC1EWRspw800000014h000000000am6u
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:33 UTC475INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120672" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120671" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  71192.168.2.74978713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:32 UTC192OUTGET /rules/rule120674v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:33 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:32 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 474
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:03 GMT
                                                                                  ETag: "0x8DC582BA4037B0D"
                                                                                  x-ms-request-id: 89e8b03d-001e-0065-5291-3f0b73000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174632Z-174f78459688l8rvhC1EWRtzr00000000ha000000000p559
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:33 UTC474INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 34 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120674" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120673" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  72192.168.2.74978913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:34 UTC192OUTGET /rules/rule120675v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:40 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:40 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 419
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:08 GMT
                                                                                  ETag: "0x8DC582BA6CF78C8"
                                                                                  x-ms-request-id: 4f79ec39-601e-0070-0891-3fa0c9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174640Z-174f7845968xr5c2hC1EWRd0hn0000000pkg00000000hxt9
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:40 UTC419INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 35 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 33 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 55 75 5d 5b 50 70 5d 5b 43 63 5d 5b 4c 6c 5d 5b 4f 6f 5d 5b 55 75 5d 5b 44 64 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120675" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120673" /> <SR T="2" R="([Uu][Pp][Cc][Ll][Oo][Uu][Dd])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  73192.168.2.74979013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:34 UTC192OUTGET /rules/rule120676v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:35 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:34 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 472
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:44 GMT
                                                                                  ETag: "0x8DC582B984BF177"
                                                                                  x-ms-request-id: 3bad3b8c-e01e-001f-0534-411633000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174634Z-174f7845968zgtf6hC1EWRqd8s0000000xr000000000dt27
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:35 UTC472INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 36 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120676" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120675" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  74192.168.2.74979113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:34 UTC192OUTGET /rules/rule120677v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:40 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:40 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 405
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:37 GMT
                                                                                  ETag: "0x8DC582B942B6AFF"
                                                                                  x-ms-request-id: 1fa1d210-401e-0067-3791-3f09c2000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174640Z-174f7845968xr5c2hC1EWRd0hn0000000pk000000000kssr
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:40 UTC405INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 37 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 35 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5e 5b 58 78 5d 5b 45 65 5d 5b 4e 6e 5d 24 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20 49 3d 22 30 22 20 4f 3d 22 74 72 75 65 22 3e 0d 0a 20 20 20 20 3c
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120677" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120675" /> <SR T="2" R="(^[Xx][Ee][Nn]$)"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W" I="0" O="true"> <


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  75192.168.2.74979213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:34 UTC192OUTGET /rules/rule120678v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:35 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:35 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 468
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:41 GMT
                                                                                  ETag: "0x8DC582BBA642BF4"
                                                                                  x-ms-request-id: 4f55dbf3-401e-005b-2250-439c0c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174635Z-174f7845968frfdmhC1EWRxxbw00000014q000000000wcmn
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:35 UTC468INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 38 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 37 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 55 20 54 3d 22 45 71 75 61 6c 73 4e 75 6c 6c 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 30 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120678" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120677" /> <TH T="2"> <O T="EQ"> <L> <U T="EqualsNull"> <S T="1" F="0" M="Ignore" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  76192.168.2.74979313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:36 UTC192OUTGET /rules/rule120679v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:37 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:37 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 174
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:33 GMT
                                                                                  ETag: "0x8DC582B91D80E15"
                                                                                  x-ms-request-id: 357a15c2-f01e-001f-47c7-435dc8000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174637Z-174f78459684bddphC1EWRbht400000014cg00000000uxrb
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:37 UTC174INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 39 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 37 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 54 3e 0d 0a 20 20 20 20 3c 53 20 54 3d 22 31 22 20 2f 3e 0d 0a 20 20 3c 2f 54 3e 0d 0a 3c 2f 52 3e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120679" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120677" /> </S> <T> <S T="1" /> </T></R>


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  77192.168.2.74979513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:37 UTC192OUTGET /rules/rule120680v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:37 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:37 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1952
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:39 GMT
                                                                                  ETag: "0x8DC582B956B0F3D"
                                                                                  x-ms-request-id: b5b05efe-701e-0001-4ea6-43b110000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174637Z-174f7845968xlwnmhC1EWR0sv800000014n000000000aa9a
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:37 UTC1952INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 38 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 53 53 20 54 3d 22 31 22 20 47 3d 22 7b 62 31 36 37 36 61 63 33 2d 37 66 65 65 2d 34 34 61 39 2d 39 61 30 65 2d 64 62 62 30 62 34 39 36 65 66 61 35 7d 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 36 38 32 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 33 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 4c 54 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120680" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <SS T="1" G="{b1676ac3-7fee-44a9-9a0e-dbb0b496efa5}" /> <R T="2" R="120682" /> <F T="3"> <O T="LT"> <L>


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  78192.168.2.74978613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:37 UTC192OUTGET /rules/rule120673v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:38 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:37 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 427
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:31 GMT
                                                                                  ETag: "0x8DC582BB464F255"
                                                                                  x-ms-request-id: 8aad1780-e01e-0020-7ed6-43de90000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174637Z-174f7845968ljs8phC1EWRe6en00000014q0000000004k8r
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:38 UTC427INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 37 33 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 37 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 52 20 54 3d 22 32 22 20 52 3d 22 28 5b 54 74 5d 5b 48 68 5d 5b 49 69 5d 5b 4e 6e 5d 5b 50 70 5d 5b 55 75 5d 5b 54 74 5d 5b 45 65 5d 5b 52 72 5d 29 22 3e 0d 0a 20 20 20 20 20 20 3c 53 20 54 3d 22 31 22 20 46 3d 22 31 22 20 4d 3d 22 49 67 6e 6f 72 65 22 20 2f 3e 0d 0a 20 20 20 20 3c 2f 53 52 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22 57 22 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120673" V="0" DC="SM" T="Subrule" xmlns=""> <S> <R T="1" R="120671" /> <SR T="2" R="([Tt][Hh][Ii][Nn][Pp][Uu][Tt][Ee][Rr])"> <S T="1" F="1" M="Ignore" /> </SR> </S> <C T="W"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  79192.168.2.74979613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:39 UTC192OUTGET /rules/rule120681v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:39 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:39 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 958
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:58 GMT
                                                                                  ETag: "0x8DC582BA0A31B3B"
                                                                                  x-ms-request-id: 3b4a45e1-301e-001f-7c68-43aa3a000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174639Z-174f7845968qj8jrhC1EWRh41s00000014mg00000000spu3
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:39 UTC958INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 38 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 31 22 20 52 3d 22 31 32 30 36 30 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 36 38 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 54 48 20 54 3d 22 33 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54 3d 22 41 4e 44 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 4f 20 54 3d 22 45 51 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 4c 3e 0d 0a
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120681" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <R T="1" R="120608" /> <R T="2" R="120680" /> <TH T="3"> <O T="AND"> <L> <O T="EQ"> <L>


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  80192.168.2.74979713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:39 UTC192OUTGET /rules/rule120682v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:39 UTC470INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:39 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 501
                                                                                  Connection: close
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:18 GMT
                                                                                  ETag: "0x8DC582BACFDAACD"
                                                                                  x-ms-request-id: 4c7796e8-801e-0083-47a6-43f0ae000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174639Z-174f7845968ljs8phC1EWRe6en00000014m000000000g62h
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:39 UTC501INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 38 32 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 54 3d 22 53 75 62 72 75 6c 65 22 20 44 43 61 3d 22 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 41 20 54 3d 22 31 22 20 45 3d 22 54 65 6c 65 6d 65 74 72 79 53 74 61 72 74 75 70 22 20 2f 3e 0d 0a 20 20 20 20 3c 52 20 54 3d 22 32 22 20 52 3d 22 31 32 30 31 30 30 22 20 2f 3e 0d 0a 20 20 20 20 3c 53 53 20 54 3d 22 33 22 20 47 3d 22 7b 62 31 36 37 36 61 63 33 2d 37 66 65 65 2d 34 34 61 39 2d 39 61 30 65 2d 64 62 62 30 62 34 39 36 65 66 61 35 7d 22 20 2f 3e 0d 0a 20 20 3c 2f 53 3e 0d 0a 20 20 3c 43 20 54 3d 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120682" V="0" DC="SM" T="Subrule" DCa="PSU" xmlns=""> <S> <A T="1" E="TelemetryStartup" /> <R T="2" R="120100" /> <SS T="3" G="{b1676ac3-7fee-44a9-9a0e-dbb0b496efa5}" /> </S> <C T="


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  81192.168.2.74979913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:39 UTC193OUTGET /rules/rule120602v10s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:40 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:40 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 2592
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:26:33 GMT
                                                                                  ETag: "0x8DC582BB5B890DB"
                                                                                  x-ms-request-id: db283756-601e-0070-61b4-43a0c9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174640Z-174f7845968pf68xhC1EWRr4h800000014z000000000kn8z
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:40 UTC2592INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 32 22 20 56 3d 22 31 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 41 70 70 6c 69 63 61 74 69 6f 6e 41 6e 64 4c 61 6e 67 75 61 67 65 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120602" V="10" DC="SM" EN="Office.System.SystemHealthMetadataApplicationAndLanguage" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  82192.168.2.74980013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:41 UTC192OUTGET /rules/rule120601v3s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:41 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:41 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 3342
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:25:34 GMT
                                                                                  ETag: "0x8DC582B927E47E9"
                                                                                  x-ms-request-id: 6eac8613-a01e-006f-3091-3f13cd000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174641Z-174f7845968kdththC1EWRzvxn0000000h700000000012vk
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:41 UTC3342INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 31 32 30 36 30 31 22 20 56 3d 22 33 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 53 79 73 74 65 6d 48 65 61 6c 74 68 4d 65 74 61 64 61 74 61 4f 53 22 20 41 54 54 3d 22 63 64 38 33 36 36 32 36 36 31 31 63 34 63 61 61 61 38 66 63 35 62 32 65 37 32 38 65 65 38 31 64 2d 33 62 36 64 36 63 34 35 2d 36 33 37 37 2d 34 62 66 35 2d 39 37 39 32 2d 64 62 66 38 65 31 38 38 31 30 38 38 2d 37 35 32 31 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 44 43 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="120601" V="3" DC="SM" EN="Office.System.SystemHealthMetadataOS" ATT="cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521" SP="CriticalBusinessImpact" DL="A" DCa="DC" xmlns=""> <RI


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  83192.168.2.74980113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:41 UTC193OUTGET /rules/rule224901v11s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:42 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:41 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 2284
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:13 GMT
                                                                                  ETag: "0x8DC582BCD58BEEE"
                                                                                  x-ms-request-id: ab0c55e0-101e-00a2-20a2-429f2e000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174641Z-174f7845968swgbqhC1EWRmnb4000000150g0000000021kb
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:42 UTC2284INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 32 32 34 39 30 31 22 20 56 3d 22 31 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 4c 69 63 65 6e 73 69 6e 67 2e 4f 66 66 69 63 65 43 6c 69 65 6e 74 4c 69 63 65 6e 73 69 6e 67 2e 44 6f 4c 69 63 65 6e 73 65 56 61 6c 69 64 61 74 69 6f 6e 22 20 41 54 54 3d 22 63 31 61 30 64 62 30 31 32 37 39 36 34 36 37 34 61 30 64 36 32 66 64 65 35 61 62 30 66 65 36 32 2d 36 65 63 34 61 63 34 35 2d 63 65 62 63 2d 34 66 38 30 2d 61 61 38 33 2d 62 36 62 39 64 33 61 38 36 65 64 37 2d 37 37 31 39 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 43 65 6e 73 75 73 22 20 54 3d 22 55 70 6c 6f 61 64 2d 4d 65 64 69 75 6d 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="224901" V="11" DC="SM" EN="Office.Licensing.OfficeClientLicensing.DoLicenseValidation" ATT="c1a0db0127964674a0d62fde5ab0fe62-6ec4ac45-cebc-4f80-aa83-b6b9d3a86ed7-7719" SP="CriticalCensus" T="Upload-Medium"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  84192.168.2.74980213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:42 UTC191OUTGET /rules/rule90401v3s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:42 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:42 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1250
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:41 GMT
                                                                                  ETag: "0x8DC582BDE4487AA"
                                                                                  x-ms-request-id: baa0a071-001e-0082-5b91-3f5880000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174642Z-174f7845968xlwnmhC1EWR0sv800000014m000000000e927
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:42 UTC1250INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 39 30 34 30 31 22 20 56 3d 22 33 22 20 44 43 3d 22 45 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 53 61 6d 70 6c 69 6e 67 50 6f 6c 69 63 79 22 20 41 54 54 3d 22 66 39 39 38 63 63 35 62 61 34 64 34 34 38 64 36 61 31 65 38 65 39 31 33 66 66 31 38 62 65 39 34 2d 64 64 31 32 32 65 30 61 2d 66 63 66 38 2d 34 64 63 35 2d 39 64 62 62 2d 36 61 66 61 63 35 33 32 35 31 38 33 2d 37 34 30 35 22 20 44 4c 3d 22 41 22 20 44 43 61 3d 22 50 53 50 20 50 53 55 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 4d 65 74 61 64 61 74 61 22 20 2f 3e 0d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="90401" V="3" DC="ESM" EN="Office.Telemetry.SamplingPolicy" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" DL="A" DCa="PSP PSU" xmlns=""> <RIS> <RI N="Metadata" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  85192.168.2.74980413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:42 UTC192OUTGET /rules/rule701201v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:43 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:42 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1393
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:51 GMT
                                                                                  ETag: "0x8DC582BE3E55B6E"
                                                                                  x-ms-request-id: d2df421c-b01e-0021-5593-43cab7000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174642Z-174f7845968frfdmhC1EWRxxbw00000014ug00000000brd9
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:43 UTC1393INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 58 61 6d 6c 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 58 61 6d 6c 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701201" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Xaml.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenXaml"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  86192.168.2.74980513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:42 UTC192OUTGET /rules/rule701200v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:43 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:42 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1356
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:38 GMT
                                                                                  ETag: "0x8DC582BDC681E17"
                                                                                  x-ms-request-id: 4455d6fa-e01e-0052-2ea9-42d9df000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174642Z-174f78459685m244hC1EWRgp2c00000014mg00000000cksh
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:43 UTC1356INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 58 61 6d 6c 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 58 61 6d 6c 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701200" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Xaml" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenXaml" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  87192.168.2.74980613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:43 UTC192OUTGET /rules/rule700201v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:44 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:44 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1393
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:50 GMT
                                                                                  ETag: "0x8DC582BE39DFC9B"
                                                                                  x-ms-request-id: 4793f8bc-701e-0053-5872-433a0a000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174644Z-174f7845968kdththC1EWRzvxn0000000h2000000000m02t
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:44 UTC1393INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 32 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 57 6f 72 64 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 57 6f 72 64 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700201" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Word.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenWord"


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  88192.168.2.74980713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:43 UTC192OUTGET /rules/rule700200v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:44 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:44 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1356
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:43 GMT
                                                                                  ETag: "0x8DC582BDF66E42D"
                                                                                  x-ms-request-id: 3d9c3aa7-901e-00ac-5891-3fb69e000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174644Z-174f7845968kdththC1EWRzvxn0000000h50000000008nnc
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:44 UTC1356INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 32 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 57 6f 72 64 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 57 6f 72 64 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700200" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Word" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenWord" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  89192.168.2.74980813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:44 UTC192OUTGET /rules/rule702351v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:44 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:44 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1395
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:44 GMT
                                                                                  ETag: "0x8DC582BE017CAD3"
                                                                                  x-ms-request-id: 2eabf22f-f01e-005d-68dc-4313ba000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174644Z-174f7845968nxc96hC1EWRspw800000014dg00000000rr7b
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:44 UTC1395INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 33 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 6f 69 63 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 6f 69 63
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702351" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Voice.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVoic


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  90192.168.2.74980913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:44 UTC192OUTGET /rules/rule702350v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:45 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:45 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1358
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:54 GMT
                                                                                  ETag: "0x8DC582BE6431446"
                                                                                  x-ms-request-id: 00f8033d-001e-000b-2543-4415a7000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174645Z-174f7845968px8v7hC1EWR08ng00000015200000000084xm
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:45 UTC1358INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 33 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 6f 69 63 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 6f 69 63 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702350" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Voice" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVoice" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  91192.168.2.74981013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:44 UTC192OUTGET /rules/rule701251v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:45 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:45 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1395
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:41 GMT
                                                                                  ETag: "0x8DC582BDE12A98D"
                                                                                  x-ms-request-id: e61fb942-301e-000c-78b4-43323f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174645Z-174f7845968n2hr8hC1EWR9cag00000014c000000000heg6
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:45 UTC1395INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 69 73 69 6f 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 69 73 69
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701251" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Visio.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVisi


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  92192.168.2.74981113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:46 UTC192OUTGET /rules/rule701250v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:46 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:46 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1358
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:44 GMT
                                                                                  ETag: "0x8DC582BE022ECC5"
                                                                                  x-ms-request-id: 73839456-501e-000a-0a63-430180000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174646Z-174f7845968jrjrxhC1EWRmmrs00000014xg00000000b18z
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:46 UTC1358INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 32 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 56 69 73 69 6f 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 56 69 73 69 6f 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701250" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Visio" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenVisio" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  93192.168.2.74981213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:46 UTC192OUTGET /rules/rule700051v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:46 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:46 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1389
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT
                                                                                  ETag: "0x8DC582BE10A6BC1"
                                                                                  x-ms-request-id: 254393c3-001e-0066-2422-41561e000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174646Z-174f7845968xlwnmhC1EWR0sv800000014n000000000ab2s
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:46 UTC1389INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 30 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 55 58 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 55 58 22 20 53 3d 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700051" V="1" DC="SM" EN="Office.Telemetry.Event.Office.UX.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenUX" S="


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  94192.168.2.74981313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:46 UTC192OUTGET /rules/rule700050v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:47 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:47 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1352
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:01 GMT
                                                                                  ETag: "0x8DC582BE9DEEE28"
                                                                                  x-ms-request-id: 717d5930-e01e-001f-2a2b-441633000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174647Z-174f7845968cdxdrhC1EWRg0en00000014ng00000000sdk4
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:47 UTC1352INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 30 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 55 58 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 55 58 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700050" V="1" DC="SM" EN="Office.Telemetry.Event.Office.UX" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenUX" S="Medium" /> <F T="2"> <O T


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  95192.168.2.74981413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:47 UTC192OUTGET /rules/rule702951v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:47 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:47 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1405
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT
                                                                                  ETag: "0x8DC582BE12B5C71"
                                                                                  x-ms-request-id: 44636861-901e-0083-5170-43bb55000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174647Z-174f7845968ljs8phC1EWRe6en00000014k000000000mncy
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:47 UTC1405INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 39 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 72 61 6e 73 6c 61 74 6f 72 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702951" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Translator.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantToke


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  96192.168.2.74981513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:47 UTC192OUTGET /rules/rule702950v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:47 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:47 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1368
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:40 GMT
                                                                                  ETag: "0x8DC582BDDC22447"
                                                                                  x-ms-request-id: 14abde1b-801e-0047-6aab-437265000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174647Z-174f7845968xr5c2hC1EWRd0hn0000000pqg0000000033xv
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:47 UTC1368INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 39 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 72 61 6e 73 6c 61 74 6f 72 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 54 72 61 6e 73 6c 61 74 6f 72 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702950" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Translator" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenTranslator" S="Medium" /> <F T=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  97192.168.2.74981613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:48 UTC192OUTGET /rules/rule701151v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:48 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:48 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1401
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:45 GMT
                                                                                  ETag: "0x8DC582BE055B528"
                                                                                  x-ms-request-id: e9f7249a-b01e-00ab-72be-42dafd000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174648Z-174f7845968zgtf6hC1EWRqd8s0000000xr000000000dtvm
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:48 UTC1401INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 31 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 65 78 74 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 54 65 78 74 41
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701151" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Text.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenTextA


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  98192.168.2.74981713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:48 UTC192OUTGET /rules/rule701150v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:48 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:48 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1364
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT
                                                                                  ETag: "0x8DC582BE1223606"
                                                                                  x-ms-request-id: 8c7215b7-001e-00ad-4224-44554b000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174648Z-174f78459685726chC1EWRsnbg00000014vg00000000900g
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:48 UTC1364INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 31 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 65 78 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 54 65 78 74 41 6e 64 46 6f 6e 74 73 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701150" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Text" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenTextAndFonts" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  99192.168.2.74981813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:49 UTC192OUTGET /rules/rule702201v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:49 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:49 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1397
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:56 GMT
                                                                                  ETag: "0x8DC582BE7262739"
                                                                                  x-ms-request-id: f24b5158-501e-0047-6a59-43ce6c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174649Z-174f7845968n2hr8hC1EWR9cag000000149000000000xa8m
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:49 UTC1397INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 32 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 65 6c 6c 4d 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 54 65 6c
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702201" V="1" DC="SM" EN="Office.Telemetry.Event.Office.TellMe.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenTel


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  100192.168.2.74981913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:49 UTC192OUTGET /rules/rule702200v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:49 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:49 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1360
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:40 GMT
                                                                                  ETag: "0x8DC582BDDEB5124"
                                                                                  x-ms-request-id: bdb61e3c-f01e-0099-1ac7-439171000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174649Z-174f7845968ljs8phC1EWRe6en00000014mg00000000enxf
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:49 UTC1360INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 32 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 65 6c 6c 4d 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 54 65 6c 6c 4d 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702200" V="1" DC="SM" EN="Office.Telemetry.Event.Office.TellMe" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenTellMe" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  101192.168.2.74982013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:49 UTC192OUTGET /rules/rule700401v2s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:49 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:49 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1403
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:38 GMT
                                                                                  ETag: "0x8DC582BDCB4853F"
                                                                                  x-ms-request-id: 39707a40-001e-00a2-1737-43d4d5000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174649Z-174f7845968qj8jrhC1EWRh41s00000014s000000000a5x4
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:49 UTC1403INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 34 30 31 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700401" V="2" DC="SM" EN="Office.Telemetry.Event.Office.Telemetry.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantToken


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  102192.168.2.74982213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:50 UTC192OUTGET /rules/rule700400v2s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:50 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:50 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1366
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:36 GMT
                                                                                  ETag: "0x8DC582BDB779FC3"
                                                                                  x-ms-request-id: 2467a365-a01e-00ab-65f1-439106000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174650Z-174f7845968psccphC1EWRuz9s0000001540000000000a3c
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:50 UTC1366INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 34 30 30 22 20 56 3d 22 32 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 54 65 6c 65 6d 65 74 72 79 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700400" V="2" DC="SM" EN="Office.Telemetry.Event.Office.Telemetry" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenTelemetry" S="Medium" /> <F T="2


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  103192.168.2.74982313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:50 UTC192OUTGET /rules/rule700351v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:51 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:50 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1397
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:44 GMT
                                                                                  ETag: "0x8DC582BDFD43C07"
                                                                                  x-ms-request-id: 709a1193-501e-00a3-3559-43c0f2000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174650Z-174f7845968glpgnhC1EWR7uec00000014x000000000gm2z
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:51 UTC1397INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 33 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 79 73
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700351" V="1" DC="SM" EN="Office.Telemetry.Event.Office.System.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenSys


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  104192.168.2.74982413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:51 UTC192OUTGET /rules/rule700350v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:51 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:51 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1360
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:40 GMT
                                                                                  ETag: "0x8DC582BDD74D2EC"
                                                                                  x-ms-request-id: 242ec292-a01e-00ab-4ed5-439106000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174651Z-174f7845968j6t2phC1EWRcfe800000014y000000000cazv
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:51 UTC1360INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 33 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 79 73 74 65 6d 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 79 73 74 65 6d 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700350" V="1" DC="SM" EN="Office.Telemetry.Event.Office.System" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenSystem" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  105192.168.2.74982513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:51 UTC192OUTGET /rules/rule703901v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:52 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:51 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1427
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:53 GMT
                                                                                  ETag: "0x8DC582BE56F6873"
                                                                                  x-ms-request-id: c562a2d5-001e-0082-3a33-445880000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174651Z-174f7845968vqt9xhC1EWRgten00000014q000000000wfr1
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:52 UTC1427INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 39 30 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 65 72 76 69 63 65 61 62 69 6c 69 74 79 4d 61 6e 61 67 65 72 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703901" V="0" DC="SM" EN="Office.Telemetry.Event.Office.ServiceabilityManager.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="Nexu


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  106192.168.2.74982713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:51 UTC192OUTGET /rules/rule703900v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:52 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:52 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1390
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:49 GMT
                                                                                  ETag: "0x8DC582BE3002601"
                                                                                  x-ms-request-id: e52eaca9-401e-0064-32a1-4254af000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174652Z-174f7845968j6t2phC1EWRcfe8000000150g00000000222d
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:52 UTC1390INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 39 30 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 65 72 76 69 63 65 61 62 69 6c 69 74 79 4d 61 6e 61 67 65 72 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 65 72 76 69 63 65 61 62 69 6c 69 74 79 4d 61 6e 61 67 65 72 22 20 53 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703900" V="0" DC="SM" EN="Office.Telemetry.Event.Office.ServiceabilityManager" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenServiceabilityManager" S=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  107192.168.2.74982913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:52 UTC192OUTGET /rules/rule701500v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:53 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:53 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1364
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:03 GMT
                                                                                  ETag: "0x8DC582BEB6AD293"
                                                                                  x-ms-request-id: 62ff000c-201e-006e-5b3f-41bbe3000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174653Z-174f7845968zgtf6hC1EWRqd8s0000000xtg000000003uf0
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:53 UTC1364INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 35 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 65 63 75 72 69 74 79 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 65 63 75 72 69 74 79 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701500" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Security" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenSecurity" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  108192.168.2.74982813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:52 UTC192OUTGET /rules/rule701501v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:53 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:53 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1401
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:48 GMT
                                                                                  ETag: "0x8DC582BE2A9D541"
                                                                                  x-ms-request-id: 36571fa1-001e-0079-6699-4312e8000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174653Z-174f78459685726chC1EWRsnbg00000014xg0000000016w7
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:53 UTC1401INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 35 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 65 63 75 72 69 74 79 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701501" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Security.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenS


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  109192.168.2.74983013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:53 UTC192OUTGET /rules/rule702801v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:54 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:53 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1391
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:43 GMT
                                                                                  ETag: "0x8DC582BDF58DC7E"
                                                                                  x-ms-request-id: df02ced2-c01e-0046-0352-442db9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174653Z-174f7845968ljs8phC1EWRe6en00000014qg000000002kgh
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:54 UTC1391INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 38 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 44 58 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 44 58 22 20 53
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702801" V="1" DC="SM" EN="Office.Telemetry.Event.Office.SDX.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenSDX" S


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  110192.168.2.74983213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:54 UTC192OUTGET /rules/rule703351v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:54 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:54 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1403
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:39 GMT
                                                                                  ETag: "0x8DC582BDCDD6400"
                                                                                  x-ms-request-id: 069fcaeb-401e-0016-5ff7-4153e0000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174654Z-174f7845968vqt9xhC1EWRgten00000014u000000000d8rk
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:54 UTC1403INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 33 35 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 63 72 69 70 74 4c 61 62 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703351" V="0" DC="SM" EN="Office.Telemetry.Event.Office.ScriptLab.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantToken


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  111192.168.2.74983113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:54 UTC192OUTGET /rules/rule702800v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:54 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:54 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1354
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:45 GMT
                                                                                  ETag: "0x8DC582BE0662D7C"
                                                                                  x-ms-request-id: 32ac451f-a01e-0050-6491-3fdb6e000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174654Z-174f7845968xr5c2hC1EWRd0hn0000000pk000000000ktrx
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:54 UTC1354INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 38 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 44 58 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 44 58 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702800" V="1" DC="SM" EN="Office.Telemetry.Event.Office.SDX" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenSDX" S="Medium" /> <F T="2"> <O


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  112192.168.2.74983413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:54 UTC192OUTGET /rules/rule703350v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:55 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:55 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1366
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:42 GMT
                                                                                  ETag: "0x8DC582BDF1E2608"
                                                                                  x-ms-request-id: 0b0e70ef-c01e-00ad-0cbd-42a2b9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174655Z-174f7845968px8v7hC1EWR08ng000000150000000000g2uw
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:55 UTC1366INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 33 35 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 63 72 69 70 74 4c 61 62 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 63 72 69 70 74 4c 61 62 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703350" V="0" DC="SM" EN="Office.Telemetry.Event.Office.ScriptLab" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenScriptLab" S="Medium" /> <F T="2


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  113192.168.2.74983513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:55 UTC192OUTGET /rules/rule703501v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:55 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:55 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1399
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:59 GMT
                                                                                  ETag: "0x8DC582BE8C605FF"
                                                                                  x-ms-request-id: b12f5008-901e-002a-4fa2-427a27000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174655Z-174f7845968zgtf6hC1EWRqd8s0000000xtg000000003uk5
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:55 UTC1399INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 35 30 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 61 6e 64 62 6f 78 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 61
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703501" V="0" DC="SM" EN="Office.Telemetry.Event.Office.Sandbox.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenSa


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  114192.168.2.74983613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:55 UTC192OUTGET /rules/rule703500v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:56 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:56 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1362
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:43 GMT
                                                                                  ETag: "0x8DC582BDF497570"
                                                                                  x-ms-request-id: 0ad7255b-c01e-00ad-65a2-42a2b9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174656Z-174f7845968px8v7hC1EWR08ng00000014x000000000wgdh
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:56 UTC1362INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 35 30 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 53 61 6e 64 62 6f 78 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 53 61 6e 64 62 6f 78 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703500" V="0" DC="SM" EN="Office.Telemetry.Event.Office.Sandbox" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenSandbox" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  115192.168.2.74983813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:56 UTC192OUTGET /rules/rule701800v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:56 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:56 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1366
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:01 GMT
                                                                                  ETag: "0x8DC582BEA414B16"
                                                                                  x-ms-request-id: 2554c198-401e-005b-1ab4-439c0c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174656Z-174f7845968px8v7hC1EWR08ng00000014wg00000000z8g0
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:56 UTC1366INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 38 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 52 65 73 6f 75 72 63 65 73 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 52 65 73 6f 75 72 63 65 73 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701800" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Resources" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenResources" S="Medium" /> <F T="2


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  116192.168.2.74983913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:57 UTC192OUTGET /rules/rule701051v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:57 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:57 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1399
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:47 GMT
                                                                                  ETag: "0x8DC582BE1CC18CD"
                                                                                  x-ms-request-id: a132b298-601e-0070-6cf9-43a0c9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174657Z-174f7845968qj8jrhC1EWRh41s00000014p000000000mg3s
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:57 UTC1399INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 30 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 52 65 6c 65 61 73 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 52 65
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701051" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Release.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenRe


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  117192.168.2.74984013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:57 UTC192OUTGET /rules/rule701050v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:57 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:57 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1362
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:03 GMT
                                                                                  ETag: "0x8DC582BEB256F43"
                                                                                  x-ms-request-id: 6460b669-f01e-00aa-725a-448521000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174657Z-174f7845968glpgnhC1EWR7uec0000001500000000003cnp
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:57 UTC1362INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 30 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 52 65 6c 65 61 73 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 52 65 6c 65 61 73 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701050" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Release" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenRelease" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  118192.168.2.74983713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:57 UTC192OUTGET /rules/rule701801v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:58 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:57 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1403
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:38 GMT
                                                                                  ETag: "0x8DC582BDC2EEE03"
                                                                                  x-ms-request-id: a8b72aac-901e-005b-059f-432005000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174657Z-174f7845968vqt9xhC1EWRgten00000014vg000000007ncf
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:58 UTC1403INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 38 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 52 65 73 6f 75 72 63 65 73 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701801" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Resources.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantToken


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  119192.168.2.74984113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:58 UTC192OUTGET /rules/rule702751v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:58 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:58 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1403
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:03 GMT
                                                                                  ETag: "0x8DC582BEB866CDB"
                                                                                  x-ms-request-id: 6361a643-501e-0047-3bd4-43ce6c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174658Z-174f7845968nxc96hC1EWRspw800000014n00000000001pa
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:58 UTC1403INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 37 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 75 62 6c 69 73 68 65 72 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702751" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Publisher.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantToken


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  120192.168.2.74984213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:58 UTC192OUTGET /rules/rule702750v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:59 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:58 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1366
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:54 GMT
                                                                                  ETag: "0x8DC582BE5B7B174"
                                                                                  x-ms-request-id: 621fcd15-801e-008c-0d40-447130000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174658Z-174f7845968frfdmhC1EWRxxbw00000014qg00000000u0tm
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:59 UTC1366INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 37 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 75 62 6c 69 73 68 65 72 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 75 62 6c 69 73 68 65 72 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702750" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Publisher" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenPublisher" S="Medium" /> <F T="2


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  121192.168.2.74984313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:59 UTC192OUTGET /rules/rule702301v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:46:59 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:46:59 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1399
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:00 GMT
                                                                                  ETag: "0x8DC582BE976026E"
                                                                                  x-ms-request-id: ae63cf80-d01e-00ad-1daa-42e942000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174659Z-174f7845968swgbqhC1EWRmnb400000014w000000000kgug
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:46:59 UTC1399INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 33 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 72 6f 6a 65 63 74 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 72
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702301" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Project.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenPr


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  122192.168.2.74984413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:46:59 UTC192OUTGET /rules/rule702300v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:00 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:00 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1362
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:37 GMT
                                                                                  ETag: "0x8DC582BDC13EFEF"
                                                                                  x-ms-request-id: b578d01d-201e-003c-6391-3f30f9000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174700Z-174f78459688l8rvhC1EWRtzr00000000hc000000000bzuu
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:00 UTC1362INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 33 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 72 6f 6a 65 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 72 6f 6a 65 63 74 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702300" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Project" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenProject" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  123192.168.2.74984513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:00 UTC192OUTGET /rules/rule703401v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:00 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:00 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1425
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:55 GMT
                                                                                  ETag: "0x8DC582BE6BD89A1"
                                                                                  x-ms-request-id: 1318377f-c01e-0034-12b7-432af6000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174700Z-174f784596886s2bhC1EWR743w00000014w0000000004txa
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:00 UTC1425INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 34 30 31 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 72 6f 67 72 61 6d 6d 61 62 6c 65 53 75 72 66 61 63 65 73 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703401" V="0" DC="SM" EN="Office.Telemetry.Event.Office.ProgrammableSurfaces.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="Nexus


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  124192.168.2.74984613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:00 UTC192OUTGET /rules/rule703400v0s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:01 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:00 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1388
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:37 GMT
                                                                                  ETag: "0x8DC582BDBD9126E"
                                                                                  x-ms-request-id: cf1b24c6-801e-00a0-09d5-432196000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174700Z-174f78459685m244hC1EWRgp2c00000014q0000000002scr
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:01 UTC1388INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 34 30 30 22 20 56 3d 22 30 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 72 6f 67 72 61 6d 6d 61 62 6c 65 53 75 72 66 61 63 65 73 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 72 6f 67 72 61 6d 6d 61 62 6c 65 53 75 72 66 61 63 65 73 22 20 53 3d 22 4d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703400" V="0" DC="SM" EN="Office.Telemetry.Event.Office.ProgrammableSurfaces" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenProgrammableSurfaces" S="M


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  125192.168.2.74984713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:00 UTC192OUTGET /rules/rule702501v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:01 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:01 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1415
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:57 GMT
                                                                                  ETag: "0x8DC582BE7C66E85"
                                                                                  x-ms-request-id: 44412a51-001e-000b-14c5-4315a7000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174701Z-174f7845968cdxdrhC1EWRg0en00000014sg000000008gvr
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:01 UTC1415INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 35 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 72 6f 67 72 61 6d 6d 61 62 69 6c 69 74 79 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702501" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Programmability.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenan


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  126192.168.2.74984813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:01 UTC192OUTGET /rules/rule702500v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:02 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:02 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1378
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:36 GMT
                                                                                  ETag: "0x8DC582BDB813B3F"
                                                                                  x-ms-request-id: 22785ae5-e01e-0003-78b2-420fa8000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174702Z-174f7845968xlwnmhC1EWR0sv800000014f000000000wrna
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:02 UTC1378INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 35 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 72 6f 67 72 61 6d 6d 61 62 69 6c 69 74 79 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 72 6f 67 72 61 6d 6d 61 62 69 6c 69 74 79 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702500" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Programmability" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenProgrammability" S="Medium" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  127192.168.2.74984913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:01 UTC192OUTGET /rules/rule700501v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:02 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:02 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1405
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:58 GMT
                                                                                  ETag: "0x8DC582BE89A8F82"
                                                                                  x-ms-request-id: 562f2249-001e-0028-5dab-42c49f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174702Z-174f7845968cdxdrhC1EWRg0en00000014q000000000kdwz
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:02 UTC1405INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 35 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 6f 77 65 72 50 6f 69 6e 74 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700501" V="1" DC="SM" EN="Office.Telemetry.Event.Office.PowerPoint.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantToke


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  128192.168.2.74985013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:02 UTC192OUTGET /rules/rule700500v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:02 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:02 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1368
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:53 GMT
                                                                                  ETag: "0x8DC582BE51CE7B3"
                                                                                  x-ms-request-id: 21a32f9a-a01e-003d-21b4-4298d7000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174702Z-174f7845968qj8jrhC1EWRh41s00000014s000000000a6t6
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:02 UTC1368INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 35 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 6f 77 65 72 50 6f 69 6e 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 6f 77 65 72 50 6f 69 6e 74 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700500" V="1" DC="SM" EN="Office.Telemetry.Event.Office.PowerPoint" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenPowerPoint" S="Medium" /> <F T=


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  129192.168.2.74985113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:03 UTC192OUTGET /rules/rule702551v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:03 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:03 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1415
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:39 GMT
                                                                                  ETag: "0x8DC582BDCE9703A"
                                                                                  x-ms-request-id: 5e2e43e0-a01e-0002-3ba3-435074000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174703Z-174f7845968nxc96hC1EWRspw800000014kg000000005bqx
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:03 UTC1415INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 35 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 65 72 73 6f 6e 61 6c 69 7a 61 74 69 6f 6e 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702551" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Personalization.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenan


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  130192.168.2.74985213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:03 UTC192OUTGET /rules/rule702550v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:03 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:03 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1378
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:53 GMT
                                                                                  ETag: "0x8DC582BE584C214"
                                                                                  x-ms-request-id: 22aebb4e-401e-00ac-1f80-430a97000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174703Z-174f78459685m244hC1EWRgp2c00000014kg00000000f8mp
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:03 UTC1378INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 35 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 65 72 73 6f 6e 61 6c 69 7a 61 74 69 6f 6e 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 65 72 73 6f 6e 61 6c 69 7a 61 74 69 6f 6e 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702550" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Personalization" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenPersonalization" S="Medium" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  131192.168.2.74985313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:04 UTC192OUTGET /rules/rule701351v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:04 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:04 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1407
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:55 GMT
                                                                                  ETag: "0x8DC582BE687B46A"
                                                                                  x-ms-request-id: 1402e90e-d01e-0049-106c-43e7dc000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174704Z-174f7845968kdththC1EWRzvxn0000000h4000000000c6e6
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:04 UTC1407INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 33 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 65 72 66 6f 72 6d 61 6e 63 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701351" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Performance.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTok


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  132192.168.2.74985413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:04 UTC192OUTGET /rules/rule701350v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:04 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:04 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1370
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:41 GMT
                                                                                  ETag: "0x8DC582BDE62E0AB"
                                                                                  x-ms-request-id: 3a28b270-401e-00ac-75b5-430a97000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174704Z-174f7845968qj8jrhC1EWRh41s00000014qg00000000dhtf
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:04 UTC1370INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 31 33 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 65 72 66 6f 72 6d 61 6e 63 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 65 72 66 6f 72 6d 61 6e 63 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="701350" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Performance" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenPerformance" S="Medium" /> <F


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  133192.168.2.74985513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:04 UTC192OUTGET /rules/rule702151v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:05 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:04 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1397
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT
                                                                                  ETag: "0x8DC582BE156D2EE"
                                                                                  x-ms-request-id: 2d33395e-b01e-0002-651f-411b8f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174704Z-174f7845968xlwnmhC1EWR0sv800000014qg00000000146y
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:05 UTC1397INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 31 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 65 6f 70 6c 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 65 6f
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702151" V="1" DC="SM" EN="Office.Telemetry.Event.Office.People.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenPeo


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  134192.168.2.74985613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:05 UTC192OUTGET /rules/rule702150v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:05 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:05 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1360
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:07 GMT
                                                                                  ETag: "0x8DC582BEDC8193E"
                                                                                  x-ms-request-id: e09bbfae-501e-00a0-6a93-439d9f000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174705Z-174f7845968glpgnhC1EWR7uec0000001500000000003d65
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:05 UTC1360INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 31 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 50 65 6f 70 6c 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 65 6f 70 6c 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702150" V="1" DC="SM" EN="Office.Telemetry.Event.Office.People" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenPeople" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  135192.168.2.74985713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:05 UTC192OUTGET /rules/rule703001v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:05 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:05 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1406
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:03 GMT
                                                                                  ETag: "0x8DC582BEB16F27E"
                                                                                  x-ms-request-id: b6aee436-d01e-0028-0d5a-437896000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174705Z-174f78459688l8rvhC1EWRtzr00000000h9g00000000pua5
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:05 UTC1406INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 30 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 4d 61 63 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703001" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Outlook.Mac.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTok


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  136192.168.2.74985913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:06 UTC192OUTGET /rules/rule700751v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:06 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:06 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1414
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:44 GMT
                                                                                  ETag: "0x8DC582BE03B051D"
                                                                                  x-ms-request-id: 252842b6-401e-005b-3ea4-439c0c000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174706Z-174f7845968kvnqxhC1EWRmf3g0000000rhg00000000fq2u
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:06 UTC1414INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 37 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700751" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Outlook.Desktop.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenan


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  137192.168.2.74985813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:06 UTC192OUTGET /rules/rule703000v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:06 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:06 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1369
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:49 GMT
                                                                                  ETag: "0x8DC582BE32FE1A2"
                                                                                  x-ms-request-id: 06ed9036-e01e-0071-2c24-4408e7000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174706Z-174f7845968jrjrxhC1EWRmmrs00000014y0000000008shx
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:06 UTC1369INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 30 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 4d 61 63 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4f 75 74 6c 6f 6f 6b 4d 61 63 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703000" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Outlook.Mac" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenOutlookMac" S="Medium" /> <F T


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  138192.168.2.74986013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:06 UTC192OUTGET /rules/rule700750v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:07 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1377
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:02 GMT
                                                                                  ETag: "0x8DC582BEAFF0125"
                                                                                  x-ms-request-id: e207a0d1-601e-0097-63aa-42f33a000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174707Z-174f7845968kvnqxhC1EWRmf3g0000000rgg00000000mq96
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:07 UTC1377INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 37 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 75 74 6c 6f 6f 6b 2e 44 65 73 6b 74 6f 70 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4f 75 74 6c 6f 6f 6b 44 65 73 6b 74 6f 70 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700750" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Outlook.Desktop" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenOutlookDesktop" S="Medium" />


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  139192.168.2.74986113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:07 UTC192OUTGET /rules/rule700151v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:07 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1399
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:45 GMT
                                                                                  ETag: "0x8DC582BE0A2434F"
                                                                                  x-ms-request-id: f0892ff2-301e-0052-2e91-3f65d6000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174707Z-174f7845968xr5c2hC1EWRd0hn0000000ph000000000qbb5
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:07 UTC1399INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 31 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 6e 65 4e 6f 74 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4f 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700151" V="1" DC="SM" EN="Office.Telemetry.Event.Office.OneNote.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenOn


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  140192.168.2.74986213.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:07 UTC192OUTGET /rules/rule700150v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:08 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:07 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1362
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:53 GMT
                                                                                  ETag: "0x8DC582BE54CA33F"
                                                                                  x-ms-request-id: 6cdca5c3-801e-0035-5534-41752a000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174707Z-174f78459688l8rvhC1EWRtzr00000000hd0000000007wd2
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:08 UTC1362INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 31 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 6e 65 4e 6f 74 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4f 6e 65 4e 6f 74 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700150" V="1" DC="SM" EN="Office.Telemetry.Event.Office.OneNote" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenOneNote" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  141192.168.2.74986313.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:08 UTC192OUTGET /rules/rule703451v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:09 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:08 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1409
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:44 GMT
                                                                                  ETag: "0x8DC582BDFC438CF"
                                                                                  x-ms-request-id: 4b51cdc8-701e-005c-68c7-43bb94000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174708Z-174f7845968cpnpfhC1EWR3afc00000014g00000000014xr
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:09 UTC1409INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 34 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 66 66 69 63 65 4d 6f 62 69 6c 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703451" V="1" DC="SM" EN="Office.Telemetry.Event.Office.OfficeMobile.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTo


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  142192.168.2.74986413.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:08 UTC192OUTGET /rules/rule703450v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:09 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:08 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1372
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:55 GMT
                                                                                  ETag: "0x8DC582BE6669CA7"
                                                                                  x-ms-request-id: 8189778e-c01e-007a-5562-43b877000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174708Z-174f7845968swgbqhC1EWRmnb400000014ug00000000s7ya
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:09 UTC1372INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 34 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4f 66 66 69 63 65 4d 6f 62 69 6c 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4f 66 66 69 63 65 4d 6f 62 69 6c 65 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703450" V="1" DC="SM" EN="Office.Telemetry.Event.Office.OfficeMobile" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenOfficeMobile" S="Medium" /> <


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  143192.168.2.74986513.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:09 UTC192OUTGET /rules/rule700901v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:09 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:09 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1408
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT
                                                                                  ETag: "0x8DC582BE1038EF2"
                                                                                  x-ms-request-id: 1c1a47f4-e01e-0003-7d9e-420fa8000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174709Z-174f7845968ljs8phC1EWRe6en00000014m000000000g7hv
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:09 UTC1408INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 39 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4e 61 74 75 72 61 6c 4c 61 6e 67 75 61 67 65 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700901" V="1" DC="SM" EN="Office.Telemetry.Event.Office.NaturalLanguage.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenan


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  144192.168.2.74986613.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:09 UTC192OUTGET /rules/rule700900v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:10 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:10 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1371
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:28:06 GMT
                                                                                  ETag: "0x8DC582BED3D048D"
                                                                                  x-ms-request-id: 7646fc24-d01e-0017-56b5-43b035000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174710Z-174f7845968jrjrxhC1EWRmmrs00000014yg000000007f05
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:10 UTC1371INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 30 39 30 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4e 61 74 75 72 61 6c 4c 61 6e 67 75 61 67 65 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 50 72 6f 6f 66 69 6e 67 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="700900" V="1" DC="SM" EN="Office.Telemetry.Event.Office.NaturalLanguage" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenProofing" S="Medium" /> <F


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  145192.168.2.74986713.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:09 UTC192OUTGET /rules/rule702251v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:10 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:10 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1389
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT
                                                                                  ETag: "0x8DC582BE0F427E7"
                                                                                  x-ms-request-id: 8367301c-701e-0053-27a9-423a0a000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174710Z-174f7845968psccphC1EWRuz9s000000152g000000005ka3
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:10 UTC1389INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 32 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4d 4c 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4d 4c 22 20 53 3d 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702251" V="1" DC="SM" EN="Office.Telemetry.Event.Office.ML.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenML" S="


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  146192.168.2.74986813.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:10 UTC192OUTGET /rules/rule702250v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:11 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:11 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1352
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:39 GMT
                                                                                  ETag: "0x8DC582BDD0A87E5"
                                                                                  x-ms-request-id: 14c55c9e-801e-0047-7ab7-437265000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174711Z-174f7845968xlwnmhC1EWR0sv800000014fg00000000vass
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:11 UTC1352INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 32 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4d 4c 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4d 4c 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20 20 20 3c 4f 20 54
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702250" V="1" DC="SM" EN="Office.Telemetry.Event.Office.ML" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenML" S="Medium" /> <F T="2"> <O T


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  147192.168.2.74986913.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:10 UTC192OUTGET /rules/rule702651v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:11 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:11 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1395
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:42 GMT
                                                                                  ETag: "0x8DC582BDEC600CC"
                                                                                  x-ms-request-id: ff692dfa-301e-0099-5fab-436683000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174711Z-174f7845968frfdmhC1EWRxxbw00000014q000000000wfbh
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:11 UTC1395INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 36 35 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4d 65 64 69 61 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4d 65 64 69
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702651" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Media.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenMedi


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  148192.168.2.74987013.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:11 UTC192OUTGET /rules/rule702650v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:11 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:11 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1358
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:42 GMT
                                                                                  ETag: "0x8DC582BDEA1B544"
                                                                                  x-ms-request-id: 0c9caffe-701e-005c-61b3-42bb94000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174711Z-174f784596886s2bhC1EWR743w00000014v00000000091zc
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:11 UTC1358INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 32 36 35 30 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4d 65 64 69 61 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4d 65 64 69 61 22 20 53 3d 22 4d 65 64 69 75 6d 22 20 2f 3e 0d 0a 20 20 20 20 3c 46 20 54 3d 22 32 22 3e 0d 0a 20 20 20 20
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="702650" V="1" DC="SM" EN="Office.Telemetry.Event.Office.Media" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenMedia" S="Medium" /> <F T="2">


                                                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                                                  149192.168.2.74987113.107.246.63443
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-12-02 17:47:12 UTC192OUTGET /rules/rule703101v1s19.xml HTTP/1.1
                                                                                  Connection: Keep-Alive
                                                                                  Accept-Encoding: gzip
                                                                                  User-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)
                                                                                  Host: otelrules.azureedge.net
                                                                                  2024-12-02 17:47:12 UTC494INHTTP/1.1 200 OK
                                                                                  Date: Mon, 02 Dec 2024 17:47:12 GMT
                                                                                  Content-Type: text/xml
                                                                                  Content-Length: 1393
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Cache-Control: public, max-age=604800, immutable
                                                                                  Last-Modified: Tue, 09 Apr 2024 00:27:46 GMT
                                                                                  ETag: "0x8DC582BE0F93037"
                                                                                  x-ms-request-id: a9eb60f2-501e-0078-41a4-4306cf000000
                                                                                  x-ms-version: 2018-03-28
                                                                                  x-azure-ref: 20241202T174712Z-174f78459684bddphC1EWRbht400000014cg00000000uzs4
                                                                                  x-fd-int-roxy-purgeid: 0
                                                                                  X-Cache: TCP_HIT
                                                                                  Accept-Ranges: bytes
                                                                                  2024-12-02 17:47:12 UTC1393INData Raw: ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 52 20 49 64 3d 22 37 30 33 31 30 31 22 20 56 3d 22 31 22 20 44 43 3d 22 53 4d 22 20 45 4e 3d 22 4f 66 66 69 63 65 2e 54 65 6c 65 6d 65 74 72 79 2e 45 76 65 6e 74 2e 4f 66 66 69 63 65 2e 4d 41 54 53 2e 43 72 69 74 69 63 61 6c 22 20 53 50 3d 22 43 72 69 74 69 63 61 6c 42 75 73 69 6e 65 73 73 49 6d 70 61 63 74 22 20 44 4c 3d 22 41 22 20 78 6d 6c 6e 73 3d 22 22 3e 0d 0a 20 20 3c 52 49 53 3e 0d 0a 20 20 20 20 3c 52 49 20 4e 3d 22 45 76 65 6e 74 22 20 2f 3e 0d 0a 20 20 3c 2f 52 49 53 3e 0d 0a 20 20 3c 53 3e 0d 0a 20 20 20 20 3c 55 43 53 53 20 54 3d 22 31 22 20 43 3d 22 4e 65 78 75 73 54 65 6e 61 6e 74 54 6f 6b 65 6e 4d 41 54 53 22
                                                                                  Data Ascii: <?xml version="1.0" encoding="utf-8"?><R Id="703101" V="1" DC="SM" EN="Office.Telemetry.Event.Office.MATS.Critical" SP="CriticalBusinessImpact" DL="A" xmlns=""> <RIS> <RI N="Event" /> </RIS> <S> <UCSS T="1" C="NexusTenantTokenMATS"


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:12:45:47
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Users\user\Desktop\setup.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\setup.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:5'061'675 bytes
                                                                                  MD5 hash:7186A29CE1FA3F48A7D318E0B4768575
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:12:45:47
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Users\user\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\is-GH8UP.tmp\setup.tmp" /SL5="$20434,4812598,58368,C:\Users\user\Desktop\setup.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:719'360 bytes
                                                                                  MD5 hash:1AFBD25DB5C9A90FE05309F7C4FBCF09
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Antivirus matches:
                                                                                  • Detection: 3%, ReversingLabs
                                                                                  Reputation:moderate
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:12:45:59
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Comdlg32.ocx"
                                                                                  Imagebase:0x480000
                                                                                  File size:20'992 bytes
                                                                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:12:45:59
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\mscomctl.ocx"
                                                                                  Imagebase:0x480000
                                                                                  File size:20'992 bytes
                                                                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:12:46:00
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\MSCOMCT2.OCX"
                                                                                  Imagebase:0x480000
                                                                                  File size:20'992 bytes
                                                                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:12:46:00
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sbls.ocx"
                                                                                  Imagebase:0x480000
                                                                                  File size:20'992 bytes
                                                                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:12:46:01
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\x\sblc.ocx"
                                                                                  Imagebase:0x480000
                                                                                  File size:20'992 bytes
                                                                                  MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:15
                                                                                  Start time:12:46:01
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"msiexec.exe" /i "C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\tscc.msi" /qn
                                                                                  Imagebase:0x820000
                                                                                  File size:59'904 bytes
                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:12:46:01
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                  Imagebase:0x7ff70ee50000
                                                                                  File size:69'632 bytes
                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:18
                                                                                  Start time:12:46:07
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\Automatically Switch Between Applications At Certain Times Software\Automatically Switch Between Applications At Certain Times Software.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:909'312 bytes
                                                                                  MD5 hash:416A3E33F14AF7790CDBA88921E91B2B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:19
                                                                                  Start time:12:46:07
                                                                                  Start date:02/12/2024
                                                                                  Path:C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Video.UI.exe" -ServerName:Microsoft.ZuneVideo.AppX758ya5sqdjd98rx6z7g95nw6jy7bqx9y.mca
                                                                                  Imagebase:0x7ff655510000
                                                                                  File size:25'966'080 bytes
                                                                                  MD5 hash:FE340ECB1D09B5BAA66DFE25AF11654F
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:23.4%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:8%
                                                                                    Total number of Nodes:1560
                                                                                    Total number of Limit Nodes:21
                                                                                    execution_graph 6838 408344 6839 40836c VirtualFree 6838->6839 6840 408351 6839->6840 6851 402b48 RaiseException 6852 40294a 6853 402952 6852->6853 6854 402967 6853->6854 6855 403554 4 API calls 6853->6855 6855->6853 6856 403f4a 6857 403f53 6856->6857 6859 403f5c 6856->6859 6858 403f07 4 API calls 6857->6858 6858->6859 6482 403a52 6483 403a5a WriteFile 6482->6483 6484 403a74 6482->6484 6483->6484 6485 403a78 GetLastError 6483->6485 6485->6484 6486 402654 6487 403154 4 API calls 6486->6487 6488 402614 6487->6488 6489 402632 6488->6489 6490 403154 4 API calls 6488->6490 6489->6489 6490->6489 6491 409258 6492 40927c 6491->6492 6493 409134 18 API calls 6492->6493 6494 409285 6493->6494 6864 405f5c 6865 405f64 6864->6865 6866 405f6c 6864->6866 6867 405f73 6865->6867 6868 405f6a 6865->6868 6869 405dc8 19 API calls 6867->6869 6871 405ed4 6868->6871 6869->6866 6872 405edc 6871->6872 6873 405ef6 6872->6873 6874 403154 4 API calls 6872->6874 6875 405f12 6873->6875 6876 405efb 6873->6876 6874->6872 6878 403154 4 API calls 6875->6878 6877 405dc8 19 API calls 6876->6877 6880 405f0e 6877->6880 6879 405f17 6878->6879 6881 405e38 33 API calls 6879->6881 6882 403154 4 API calls 6880->6882 6881->6880 6883 405f40 6882->6883 6884 403154 4 API calls 6883->6884 6885 405f4e 6884->6885 6885->6866 6495 402e64 6496 402e69 6495->6496 6497 402e7a RtlUnwind 6496->6497 6498 402e5e 6496->6498 6499 402e9d 6497->6499 6886 40b16f 6895 409bd4 6886->6895 6889 402f24 5 API calls 6890 40b179 6889->6890 6891 403198 4 API calls 6890->6891 6892 40b198 6891->6892 6893 403198 4 API calls 6892->6893 6894 40b1a0 6893->6894 6904 405b34 6895->6904 6897 409c1d 6901 403198 4 API calls 6897->6901 6898 409bef 6898->6897 6910 4076c0 6898->6910 6900 409c0d 6903 409c15 MessageBoxA 6900->6903 6902 409c32 6901->6902 6902->6889 6903->6897 6905 403154 4 API calls 6904->6905 6906 405b39 6905->6906 6907 405b51 6906->6907 6908 403154 4 API calls 6906->6908 6907->6898 6909 405b47 6908->6909 6909->6898 6911 405b34 4 API calls 6910->6911 6912 4076cf 6911->6912 6913 4076e3 6912->6913 6914 4076d5 6912->6914 6917 4076f3 6913->6917 6918 4076ff 6913->6918 6915 40322c 4 API calls 6914->6915 6916 4076e1 6915->6916 6916->6900 6921 407684 6917->6921 6928 4032b8 6918->6928 6922 40322c 4 API calls 6921->6922 6923 407693 6922->6923 6924 4076b0 6923->6924 6925 406dd8 CharPrevA 6923->6925 6924->6916 6926 40769f 6925->6926 6926->6924 6927 4032fc 18 API calls 6926->6927 6927->6924 6929 403278 18 API calls 6928->6929 6930 4032c2 6929->6930 6930->6916 6294 407a78 SetFilePointer 6295 407aab 6294->6295 6296 407a9b GetLastError 6294->6296 6296->6295 6297 407aa4 6296->6297 6298 407940 35 API calls 6297->6298 6298->6295 6935 40af7a 6936 40afaa 6935->6936 6937 40afb4 CreateWindowExA SetWindowLongA 6936->6937 6938 40561c 33 API calls 6937->6938 6939 40b037 6938->6939 6940 4032fc 18 API calls 6939->6940 6941 40b045 6940->6941 6942 4032fc 18 API calls 6941->6942 6943 40b052 6942->6943 6944 407004 19 API calls 6943->6944 6945 40b05e 6944->6945 6946 4032fc 18 API calls 6945->6946 6947 40b067 6946->6947 6948 409ec4 43 API calls 6947->6948 6949 40b079 6948->6949 6950 409da4 19 API calls 6949->6950 6951 40b08c 6949->6951 6950->6951 6952 40b0c5 6951->6952 6953 4099b0 9 API calls 6951->6953 6954 40b0de 6952->6954 6958 40b0d8 RemoveDirectoryA 6952->6958 6953->6952 6955 40b0f2 6954->6955 6956 40b0e7 DestroyWindow 6954->6956 6957 40b11a 6955->6957 6959 40357c 4 API calls 6955->6959 6956->6955 6958->6954 6960 40b110 6959->6960 6961 4025ac 4 API calls 6960->6961 6961->6957 6962 407b7c WriteFile 6963 407ba3 6962->6963 6964 407b9c 6962->6964 6966 407bb4 6963->6966 6967 4078a0 34 API calls 6963->6967 6965 407940 35 API calls 6964->6965 6965->6963 6967->6966 6968 403f7d 6969 403fa2 6968->6969 6972 403f84 6968->6972 6971 403e8e 4 API calls 6969->6971 6969->6972 6970 403f8c 6971->6972 6972->6970 6973 402674 4 API calls 6972->6973 6974 403fca 6973->6974 5860 403d02 5862 403d12 5860->5862 5861 403ddf ExitProcess 5862->5861 5863 403db8 5862->5863 5865 403dea 5862->5865 5870 403da4 5862->5870 5871 403d8f MessageBoxA 5862->5871 5876 403cc8 5863->5876 5867 403cc8 4 API calls 5868 403dcc 5867->5868 5880 4019dc 5868->5880 5892 403fe4 5870->5892 5871->5863 5872 403dd1 5872->5861 5872->5865 5877 403cd6 5876->5877 5879 403ceb 5877->5879 5896 402674 5877->5896 5879->5867 5881 401abb 5880->5881 5882 4019ed 5880->5882 5881->5872 5883 401a04 RtlEnterCriticalSection 5882->5883 5884 401a0e LocalFree 5882->5884 5883->5884 5885 401a41 5884->5885 5886 401a2f VirtualFree 5885->5886 5887 401a49 5885->5887 5886->5885 5888 401a70 LocalFree 5887->5888 5889 401a87 5887->5889 5888->5888 5888->5889 5890 401aa9 RtlDeleteCriticalSection 5889->5890 5891 401a9f RtlLeaveCriticalSection 5889->5891 5890->5872 5891->5890 5893 403fe8 5892->5893 5899 403f07 5893->5899 5895 404006 5897 403154 4 API calls 5896->5897 5898 40267a 5897->5898 5898->5879 5902 403f09 5899->5902 5900 403f3c 5900->5895 5903 403154 4 API calls 5902->5903 5905 403e9c 5902->5905 5909 403f3d 5902->5909 5922 403e9c 5902->5922 5903->5902 5904 403ef2 5908 402674 4 API calls 5904->5908 5905->5900 5905->5904 5911 403ea9 5905->5911 5913 403e8e 5905->5913 5906 403ecf 5906->5895 5908->5906 5909->5895 5911->5906 5912 402674 4 API calls 5911->5912 5912->5906 5914 403e4c 5913->5914 5915 403e67 5914->5915 5916 403e62 5914->5916 5917 403e7b 5914->5917 5920 403e78 5915->5920 5921 402674 4 API calls 5915->5921 5918 403cc8 4 API calls 5916->5918 5919 402674 4 API calls 5917->5919 5918->5915 5919->5920 5920->5904 5920->5911 5921->5920 5923 403ed7 5922->5923 5928 403ea9 5922->5928 5924 403ef2 5923->5924 5926 403e8e 4 API calls 5923->5926 5927 402674 4 API calls 5924->5927 5925 403ecf 5925->5902 5929 403ee6 5926->5929 5927->5925 5928->5925 5930 402674 4 API calls 5928->5930 5929->5924 5929->5928 5930->5925 6975 406b04 IsDBCSLeadByte 6976 406b1c 6975->6976 6508 404206 6509 4041cc 6508->6509 6510 40420a 6508->6510 6511 403154 4 API calls 6510->6511 6512 404282 6510->6512 6513 404323 6511->6513 5954 40ad07 5955 409fc0 18 API calls 5954->5955 5956 40ad0c 5955->5956 5957 40ad11 5956->5957 6032 402f24 5956->6032 5991 409e14 5957->5991 5960 40ad69 5996 4026c4 GetSystemTime 5960->5996 5962 40ad16 5962->5960 6037 40928c 5962->6037 5963 40ad6e 5997 409808 5963->5997 5967 4031e8 18 API calls 5969 40ad83 5967->5969 5968 40ad45 5971 40ad4d MessageBoxA 5968->5971 6015 406db0 5969->6015 5971->5960 5973 40ad5a 5971->5973 6040 405cec 5973->6040 5977 406ac0 19 API calls 5978 40adb1 5977->5978 5979 403340 18 API calls 5978->5979 5980 40adbf 5979->5980 5981 4031e8 18 API calls 5980->5981 5982 40adcf 5981->5982 5983 407994 37 API calls 5982->5983 5984 40ae0e 5983->5984 5985 402594 18 API calls 5984->5985 5986 40ae2e 5985->5986 5987 407edc 19 API calls 5986->5987 5988 40ae70 5987->5988 5989 40816c 35 API calls 5988->5989 5990 40ae97 5989->5990 6044 409a14 5991->6044 5996->5963 6000 409828 5997->6000 6001 40984d CreateDirectoryA 6000->6001 6006 40928c 18 API calls 6000->6006 6011 407738 19 API calls 6000->6011 6014 405d18 18 API calls 6000->6014 6122 4071a8 6000->6122 6145 4096fc 6000->6145 6164 40511c 6000->6164 6167 40925c 6000->6167 6002 4098c5 6001->6002 6003 409857 GetLastError 6001->6003 6004 40322c 4 API calls 6002->6004 6003->6000 6005 4098cf 6004->6005 6007 4031b8 4 API calls 6005->6007 6006->6000 6009 4098e9 6007->6009 6010 4031b8 4 API calls 6009->6010 6012 4098f6 6010->6012 6011->6000 6012->5967 6014->6000 6280 406ca8 6015->6280 6018 403454 18 API calls 6019 406dd2 6018->6019 6020 406b48 6019->6020 6285 406d6c 6020->6285 6023 406b86 6025 403454 18 API calls 6023->6025 6024 406b78 6026 403340 18 API calls 6024->6026 6027 406b99 6025->6027 6028 406b84 6026->6028 6029 403340 18 API calls 6027->6029 6030 403198 4 API calls 6028->6030 6029->6028 6031 406bbb 6030->6031 6031->5977 6033 403154 4 API calls 6032->6033 6034 402f29 6033->6034 6291 402bcc 6034->6291 6036 402f51 6036->6036 6038 40925c 18 API calls 6037->6038 6039 4092a8 6038->6039 6039->5968 6041 405cf1 6040->6041 6042 405dc8 19 API calls 6041->6042 6043 405d03 6042->6043 6043->6043 6051 409a33 6044->6051 6045 409a68 6047 409a75 GetUserDefaultLangID 6045->6047 6052 409a6a 6045->6052 6046 409a6c 6062 4074d8 GetModuleHandleA GetProcAddress 6046->6062 6047->6052 6050 409a47 6056 409da4 6050->6056 6051->6045 6051->6046 6051->6050 6052->6050 6053 409aa3 GetACP 6052->6053 6054 409ac7 6052->6054 6053->6050 6053->6052 6054->6050 6055 409aed GetACP 6054->6055 6055->6050 6055->6054 6057 409dac 6056->6057 6061 409de6 6056->6061 6058 403420 18 API calls 6057->6058 6057->6061 6059 409de0 6058->6059 6106 409334 6059->6106 6061->5962 6063 407512 6062->6063 6064 40751b 6062->6064 6075 403198 4 API calls 6063->6075 6065 407524 6064->6065 6066 40755c 6064->6066 6083 40741c 6065->6083 6068 40741c RegOpenKeyExA 6066->6068 6069 407575 6068->6069 6071 407592 6069->6071 6072 407410 20 API calls 6069->6072 6070 40753d 6070->6071 6086 407410 6070->6086 6073 40322c 4 API calls 6071->6073 6076 407589 RegCloseKey 6072->6076 6077 40759f 6073->6077 6079 4075d4 6075->6079 6076->6071 6081 4032fc 18 API calls 6077->6081 6080 403198 4 API calls 6079->6080 6082 4075dc 6080->6082 6081->6063 6082->6052 6084 407427 6083->6084 6085 40742d RegOpenKeyExA 6083->6085 6084->6085 6085->6070 6089 4072c4 6086->6089 6090 4072ea RegQueryValueExA 6089->6090 6091 40730d 6090->6091 6096 40732f 6090->6096 6093 407327 6091->6093 6091->6096 6097 403278 18 API calls 6091->6097 6098 403420 18 API calls 6091->6098 6092 403198 4 API calls 6094 4073fb RegCloseKey 6092->6094 6095 403198 4 API calls 6093->6095 6094->6071 6095->6096 6096->6092 6097->6091 6099 407364 RegQueryValueExA 6098->6099 6099->6090 6100 407380 6099->6100 6100->6096 6101 4034f0 18 API calls 6100->6101 6102 4073c2 6101->6102 6103 4073d4 6102->6103 6105 403420 18 API calls 6102->6105 6104 4031e8 18 API calls 6103->6104 6104->6096 6105->6103 6107 409342 6106->6107 6109 40935a 6107->6109 6119 4092cc 6107->6119 6110 4092cc 18 API calls 6109->6110 6111 40937e 6109->6111 6110->6111 6112 407dcc InterlockedExchange 6111->6112 6113 409399 6112->6113 6114 4092cc 18 API calls 6113->6114 6116 4093ac 6113->6116 6114->6116 6115 4092cc 18 API calls 6115->6116 6116->6115 6117 403278 18 API calls 6116->6117 6118 4093db 6116->6118 6117->6116 6118->6061 6120 405d18 18 API calls 6119->6120 6121 4092dd 6120->6121 6121->6109 6171 406ee0 6122->6171 6125 4071da 6127 406ee0 19 API calls 6125->6127 6129 407226 6125->6129 6128 4071ea 6127->6128 6130 4071f6 6128->6130 6132 406ebc 21 API calls 6128->6132 6179 406d10 6129->6179 6130->6129 6135 406ee0 19 API calls 6130->6135 6141 40721b 6130->6141 6132->6130 6137 40720f 6135->6137 6136 406ac0 19 API calls 6138 40723b 6136->6138 6139 406ebc 21 API calls 6137->6139 6137->6141 6140 40322c 4 API calls 6138->6140 6139->6141 6142 407245 6140->6142 6141->6129 6191 407150 GetWindowsDirectoryA 6141->6191 6143 4031b8 4 API calls 6142->6143 6144 40725f 6143->6144 6144->6000 6146 40971c 6145->6146 6147 406ac0 19 API calls 6146->6147 6148 409735 6147->6148 6149 40322c 4 API calls 6148->6149 6150 409740 6149->6150 6151 406e00 20 API calls 6150->6151 6153 4033b4 18 API calls 6150->6153 6154 40928c 18 API calls 6150->6154 6156 405d18 18 API calls 6150->6156 6157 4097bc 6150->6157 6232 409688 6150->6232 6240 4094e8 6150->6240 6151->6150 6153->6150 6154->6150 6156->6150 6158 40322c 4 API calls 6157->6158 6159 4097c7 6158->6159 6160 4031b8 4 API calls 6159->6160 6161 4097e1 6160->6161 6162 403198 4 API calls 6161->6162 6163 4097e9 6162->6163 6163->6000 6165 405630 33 API calls 6164->6165 6166 40513a 6165->6166 6166->6000 6168 40927c 6167->6168 6268 409134 6168->6268 6172 4034f0 18 API calls 6171->6172 6173 406ef3 6172->6173 6174 406f0a GetEnvironmentVariableA 6173->6174 6178 406f1d 6173->6178 6194 4072a0 6173->6194 6174->6173 6175 406f16 6174->6175 6176 403198 4 API calls 6175->6176 6176->6178 6178->6125 6188 406ebc 6178->6188 6180 403414 6179->6180 6181 406d33 GetFullPathNameA 6180->6181 6182 406d56 6181->6182 6183 406d3f 6181->6183 6185 40322c 4 API calls 6182->6185 6183->6182 6184 406d47 6183->6184 6186 403278 18 API calls 6184->6186 6187 406d54 6185->6187 6186->6187 6187->6136 6198 406e64 6188->6198 6192 405268 18 API calls 6191->6192 6193 407171 6192->6193 6193->6129 6195 4072ae 6194->6195 6196 4034f0 18 API calls 6195->6196 6197 4072bc 6196->6197 6197->6173 6205 406e00 6198->6205 6200 406e86 6201 406e8e GetFileAttributesA 6200->6201 6202 406ea3 6201->6202 6203 403198 4 API calls 6202->6203 6204 406eab 6203->6204 6204->6125 6215 406bcc 6205->6215 6207 406e38 6210 406e43 6207->6210 6211 406e4e 6207->6211 6209 406e11 6209->6207 6222 406df8 CharPrevA 6209->6222 6213 40322c 4 API calls 6210->6213 6223 403454 6211->6223 6214 406e4c 6213->6214 6214->6200 6218 406bdd 6215->6218 6216 406c41 6217 406b08 IsDBCSLeadByte 6216->6217 6219 406c3c 6216->6219 6217->6219 6218->6216 6220 406bfb 6218->6220 6219->6209 6220->6219 6230 406b08 IsDBCSLeadByte 6220->6230 6222->6209 6224 403486 6223->6224 6225 403459 6223->6225 6226 403198 4 API calls 6224->6226 6225->6224 6228 40346d 6225->6228 6227 40347c 6226->6227 6227->6214 6229 403278 18 API calls 6228->6229 6229->6227 6231 406b1c 6230->6231 6231->6220 6233 403198 4 API calls 6232->6233 6236 4096a9 6233->6236 6237 4096d6 6236->6237 6249 4032a8 6236->6249 6252 403494 6236->6252 6238 403198 4 API calls 6237->6238 6239 4096eb 6238->6239 6239->6150 6256 409424 6240->6256 6242 4094fe 6243 409502 6242->6243 6262 406ed0 6242->6262 6243->6150 6246 409535 6265 409460 6246->6265 6250 403278 18 API calls 6249->6250 6251 4032b5 6250->6251 6251->6236 6253 4034c3 6252->6253 6254 403498 6252->6254 6253->6236 6255 4034f0 18 API calls 6254->6255 6255->6253 6257 409432 6256->6257 6258 40942e 6256->6258 6259 409454 SetLastError 6257->6259 6260 40943b Wow64DisableWow64FsRedirection 6257->6260 6258->6242 6261 40944f 6259->6261 6260->6261 6261->6242 6263 406e64 21 API calls 6262->6263 6264 406eda GetLastError 6263->6264 6264->6246 6266 409465 Wow64RevertWow64FsRedirection 6265->6266 6267 40946f 6265->6267 6266->6267 6267->6150 6269 403198 4 API calls 6268->6269 6279 409165 6268->6279 6269->6279 6270 4031b8 4 API calls 6272 40921d 6270->6272 6271 40917c 6273 4032c4 18 API calls 6271->6273 6272->6000 6274 409186 6273->6274 6276 4032fc 18 API calls 6274->6276 6275 403278 18 API calls 6275->6279 6277 409190 6276->6277 6277->6270 6278 4032fc 18 API calls 6278->6279 6279->6271 6279->6275 6279->6277 6279->6278 6281 406bcc IsDBCSLeadByte 6280->6281 6283 406cbd 6281->6283 6282 406d07 6282->6018 6283->6282 6284 406b08 IsDBCSLeadByte 6283->6284 6284->6283 6286 406d7b 6285->6286 6287 406ca8 IsDBCSLeadByte 6286->6287 6290 406d86 6287->6290 6288 406b72 6288->6023 6288->6024 6289 406b08 IsDBCSLeadByte 6289->6290 6290->6288 6290->6289 6292 402bd5 RaiseException 6291->6292 6293 402be6 6291->6293 6292->6293 6293->6036 6514 402c08 6517 402c82 6514->6517 6518 402c19 6514->6518 6515 402c56 RtlUnwind 6516 403154 4 API calls 6515->6516 6516->6517 6518->6515 6518->6517 6521 402b28 6518->6521 6522 402b31 RaiseException 6521->6522 6523 402b47 6521->6523 6522->6523 6523->6515 6524 403018 6525 403070 6524->6525 6526 403025 6524->6526 6527 40302a RtlUnwind 6526->6527 6528 40304e 6527->6528 6530 402f78 6528->6530 6531 402be8 6528->6531 6532 402bf1 RaiseException 6531->6532 6533 402c04 6531->6533 6532->6533 6533->6525 6989 40b127 6991 40b099 6989->6991 6990 40b0c5 6993 40b0de 6990->6993 6997 40b0d8 RemoveDirectoryA 6990->6997 6991->6990 6992 4099b0 9 API calls 6991->6992 6992->6990 6994 40b0f2 6993->6994 6995 40b0e7 DestroyWindow 6993->6995 6996 40b11a 6994->6996 6998 40357c 4 API calls 6994->6998 6995->6994 6997->6993 6999 40b110 6998->6999 7000 4025ac 4 API calls 6999->7000 7000->6996 6546 403a28 ReadFile 6547 403a46 6546->6547 6548 403a49 GetLastError 6546->6548 6549 40602a 6550 40602c 6549->6550 6551 406068 6550->6551 6552 406062 6550->6552 6553 40607f 6550->6553 6554 405dc8 19 API calls 6551->6554 6552->6551 6555 4060d4 6552->6555 6558 405164 19 API calls 6553->6558 6556 40607b 6554->6556 6557 405e38 33 API calls 6555->6557 6560 403198 4 API calls 6556->6560 6557->6556 6559 4060a8 6558->6559 6561 405e38 33 API calls 6559->6561 6562 40610e 6560->6562 6561->6556 6563 40462b 6564 404638 SetErrorMode 6563->6564 7001 40b12c 7002 40b135 7001->7002 7004 40b160 7001->7004 7011 409920 7002->7011 7006 403198 4 API calls 7004->7006 7005 40b13a 7005->7004 7008 40b158 MessageBoxA 7005->7008 7007 40b198 7006->7007 7009 403198 4 API calls 7007->7009 7008->7004 7010 40b1a0 7009->7010 7012 409987 ExitWindowsEx 7011->7012 7013 40992c GetCurrentProcess OpenProcessToken 7011->7013 7015 40993e 7012->7015 7014 409942 LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 7013->7014 7013->7015 7014->7012 7014->7015 7015->7005 7020 403932 7021 403924 7020->7021 7024 40374c 7021->7024 7023 40392c 7025 403766 7024->7025 7026 403759 7024->7026 7025->7023 7026->7025 7027 403779 VariantClear 7026->7027 7027->7023 6579 409e36 6580 409e38 6579->6580 6581 409e5a 6580->6581 6582 409e76 CallWindowProcA 6580->6582 6582->6581 6587 409e38 6588 409e5a 6587->6588 6590 409e47 6587->6590 6589 409e76 CallWindowProcA 6589->6588 6590->6588 6590->6589 6591 4090c4 6592 4090cb 6591->6592 6593 403198 4 API calls 6592->6593 6602 409165 6593->6602 6594 409190 6595 4031b8 4 API calls 6594->6595 6597 40921d 6595->6597 6596 40917c 6598 4032c4 18 API calls 6596->6598 6599 409186 6598->6599 6601 4032fc 18 API calls 6599->6601 6600 403278 18 API calls 6600->6602 6601->6594 6602->6594 6602->6596 6602->6600 6603 4032fc 18 API calls 6602->6603 6603->6602 6345 4074cb 6346 4074bc SetErrorMode 6345->6346 6604 402ccc 6607 402cfe 6604->6607 6609 402cdd 6604->6609 6605 402d88 RtlUnwind 6606 403154 4 API calls 6605->6606 6606->6607 6608 402b28 RaiseException 6610 402d7f 6608->6610 6609->6605 6609->6607 6609->6608 6610->6605 7038 403fcd 7039 403f07 4 API calls 7038->7039 7040 403fd6 7039->7040 7041 403e9c 4 API calls 7040->7041 7042 403fe2 7041->7042 5128 40aad0 5171 4030dc 5128->5171 5130 40aae6 5174 4042e8 5130->5174 5132 40aaeb 5177 404654 GetModuleHandleA GetVersion 5132->5177 5136 40aaf5 5274 406a50 5136->5274 5138 40aafa 5283 409558 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5138->5283 5145 40ab3d 5311 4070b4 5145->5311 5157 40abe8 5351 407954 5157->5351 5159 40abaa 5159->5157 5391 409fc0 5159->5391 5160 40ac0e 5161 40ac29 5160->5161 5162 409fc0 18 API calls 5160->5162 5355 407edc 5161->5355 5162->5161 5164 40ac4e 5365 408fbc 5164->5365 5168 40ac94 5169 40accd 5168->5169 5170 408fbc 35 API calls 5168->5170 5170->5168 5401 403094 5171->5401 5173 4030e1 GetModuleHandleA GetCommandLineA 5173->5130 5176 404323 5174->5176 5402 403154 5174->5402 5176->5132 5178 4046a5 5177->5178 5179 404685 GetProcAddress 5177->5179 5181 4048d2 GetProcAddress 5178->5181 5182 4046ad GetProcAddress 5178->5182 5179->5178 5180 404696 5179->5180 5180->5178 5184 4048e1 5181->5184 5185 4048e8 GetProcAddress 5181->5185 5183 4046bc 5182->5183 5419 4045a0 GetSystemDirectoryA 5183->5419 5184->5185 5187 4048f7 SetProcessDEPPolicy 5185->5187 5188 4048fb 5185->5188 5187->5188 5415 403198 5188->5415 5190 4031e8 18 API calls 5193 4046d8 5190->5193 5193->5181 5194 40470b 5193->5194 5422 4032fc 5193->5422 5436 40322c 5194->5436 5198 4032fc 18 API calls 5199 404726 5198->5199 5440 4045cc SetErrorMode 5199->5440 5202 40322c 4 API calls 5203 40473c 5202->5203 5204 4032fc 18 API calls 5203->5204 5205 404749 5204->5205 5206 4045cc 2 API calls 5205->5206 5207 404751 5206->5207 5208 40322c 4 API calls 5207->5208 5209 40475f 5208->5209 5210 4032fc 18 API calls 5209->5210 5211 40476c 5210->5211 5212 4045cc 2 API calls 5211->5212 5213 404774 5212->5213 5214 40322c 4 API calls 5213->5214 5215 404782 5214->5215 5216 4032fc 18 API calls 5215->5216 5217 40478f 5216->5217 5218 4045cc 2 API calls 5217->5218 5219 404797 5218->5219 5220 40322c 4 API calls 5219->5220 5221 4047a5 5220->5221 5222 4032fc 18 API calls 5221->5222 5223 4047b2 5222->5223 5224 4045cc 2 API calls 5223->5224 5225 4047ba 5224->5225 5226 40322c 4 API calls 5225->5226 5227 4047c8 5226->5227 5228 4032fc 18 API calls 5227->5228 5229 4047d5 5228->5229 5230 4045cc 2 API calls 5229->5230 5231 4047dd 5230->5231 5232 40322c 4 API calls 5231->5232 5233 4047eb 5232->5233 5234 4032fc 18 API calls 5233->5234 5235 4047f8 5234->5235 5236 4045cc 2 API calls 5235->5236 5237 404800 5236->5237 5238 40322c 4 API calls 5237->5238 5239 40480e 5238->5239 5240 4032fc 18 API calls 5239->5240 5241 40481b 5240->5241 5242 4045cc 2 API calls 5241->5242 5243 404823 5242->5243 5244 40322c 4 API calls 5243->5244 5245 404831 5244->5245 5246 4032fc 18 API calls 5245->5246 5247 40483e 5246->5247 5248 4045cc 2 API calls 5247->5248 5249 404846 5248->5249 5250 40322c 4 API calls 5249->5250 5251 404854 5250->5251 5252 4032fc 18 API calls 5251->5252 5253 404861 5252->5253 5254 4045cc 2 API calls 5253->5254 5255 404869 5254->5255 5256 40322c 4 API calls 5255->5256 5257 404877 5256->5257 5258 4032fc 18 API calls 5257->5258 5259 404884 5258->5259 5260 4045cc 2 API calls 5259->5260 5261 40488c 5260->5261 5262 40322c 4 API calls 5261->5262 5263 40489a 5262->5263 5264 4032fc 18 API calls 5263->5264 5265 4048a7 5264->5265 5266 4045cc 2 API calls 5265->5266 5267 4048af 5266->5267 5268 40322c 4 API calls 5267->5268 5269 4048bd 5268->5269 5270 4032fc 18 API calls 5269->5270 5271 4048ca 5270->5271 5272 4045cc 2 API calls 5271->5272 5272->5181 5273 404aac 6FDA1CD0 5273->5136 5546 406130 5274->5546 5284 4095ad 5283->5284 5652 40717c GetSystemDirectoryA 5284->5652 5288 4095d4 5289 4032fc 18 API calls 5288->5289 5290 4095e1 5289->5290 5665 407454 SetErrorMode 5290->5665 5295 4031b8 4 API calls 5296 409615 5295->5296 5297 40a050 GetSystemInfo VirtualQuery 5296->5297 5298 40a104 5297->5298 5301 40a07a 5297->5301 5303 409c40 5298->5303 5299 40a0e5 VirtualQuery 5299->5298 5299->5301 5300 40a0a4 VirtualProtect 5300->5301 5301->5298 5301->5299 5301->5300 5302 40a0d3 VirtualProtect 5301->5302 5302->5299 5697 407058 GetCommandLineA 5303->5697 5305 409d28 5307 4031b8 4 API calls 5305->5307 5306 4070b4 20 API calls 5310 409c5d 5306->5310 5308 409d42 5307->5308 5308->5145 5381 40a160 5308->5381 5309 403454 18 API calls 5309->5310 5310->5305 5310->5306 5310->5309 5312 4070db GetModuleFileNameA 5311->5312 5313 4070ff GetCommandLineA 5311->5313 5314 403278 18 API calls 5312->5314 5321 407104 5313->5321 5315 4070fd 5314->5315 5318 40712c 5315->5318 5316 407109 5319 403198 4 API calls 5316->5319 5317 406f78 18 API calls 5317->5321 5322 403198 4 API calls 5318->5322 5320 407111 5319->5320 5323 40322c 4 API calls 5320->5323 5321->5316 5321->5317 5321->5320 5324 407141 5322->5324 5323->5318 5325 4031e8 5324->5325 5326 4031ec 5325->5326 5329 4031fc 5325->5329 5328 403254 18 API calls 5326->5328 5326->5329 5327 403228 5331 407994 5327->5331 5328->5329 5329->5327 5330 4025ac 4 API calls 5329->5330 5330->5327 5332 40799e 5331->5332 5718 407a2a 5332->5718 5721 407a2c 5332->5721 5333 4079ca 5334 4079de 5333->5334 5724 407940 GetLastError 5333->5724 5338 40a10c FindResourceA 5334->5338 5339 40a121 5338->5339 5340 40a126 SizeofResource 5338->5340 5341 409fc0 18 API calls 5339->5341 5342 40a133 5340->5342 5343 40a138 LoadResource 5340->5343 5341->5340 5344 409fc0 18 API calls 5342->5344 5345 40a146 5343->5345 5346 40a14b LockResource 5343->5346 5344->5343 5347 409fc0 18 API calls 5345->5347 5348 40a157 5346->5348 5349 40a15c 5346->5349 5347->5346 5350 409fc0 18 API calls 5348->5350 5349->5159 5388 407dcc 5349->5388 5350->5349 5352 407968 5351->5352 5353 407978 5352->5353 5354 4078a0 34 API calls 5352->5354 5353->5160 5354->5353 5356 407ee9 5355->5356 5357 405d18 18 API calls 5356->5357 5358 407f3d 5356->5358 5357->5358 5359 407dcc InterlockedExchange 5358->5359 5360 407f4f 5359->5360 5361 405d18 18 API calls 5360->5361 5362 407f65 5360->5362 5361->5362 5363 407fa8 5362->5363 5364 405d18 18 API calls 5362->5364 5363->5164 5364->5363 5368 408fed 5365->5368 5370 409036 5365->5370 5366 409081 5823 40816c 5366->5823 5368->5370 5371 4034f0 18 API calls 5368->5371 5374 403420 18 API calls 5368->5374 5376 4031e8 18 API calls 5368->5376 5379 40816c 35 API calls 5368->5379 5369 409098 5373 4031b8 4 API calls 5369->5373 5370->5366 5372 4034f0 18 API calls 5370->5372 5377 4031e8 18 API calls 5370->5377 5378 403420 18 API calls 5370->5378 5380 40816c 35 API calls 5370->5380 5371->5368 5372->5370 5375 4090b2 5373->5375 5374->5368 5398 4050a8 5375->5398 5376->5368 5377->5370 5378->5370 5379->5368 5380->5370 5382 40322c 4 API calls 5381->5382 5383 40a183 5382->5383 5384 40a192 MessageBoxA 5383->5384 5385 40a1a7 5384->5385 5386 403198 4 API calls 5385->5386 5387 40a1af 5386->5387 5387->5145 5845 407d78 5388->5845 5392 409fe1 5391->5392 5393 409fc9 5391->5393 5395 405d18 18 API calls 5392->5395 5394 405d18 18 API calls 5393->5394 5396 409fdb 5394->5396 5397 409ff2 5395->5397 5396->5157 5397->5157 5399 402594 18 API calls 5398->5399 5400 4050b3 5399->5400 5400->5168 5401->5173 5403 403164 5402->5403 5404 40318c TlsGetValue 5402->5404 5403->5176 5405 403196 5404->5405 5406 40316f 5404->5406 5405->5176 5410 40310c 5406->5410 5408 403174 TlsGetValue 5409 403184 5408->5409 5409->5176 5411 403120 LocalAlloc 5410->5411 5412 403116 5410->5412 5413 40313e TlsSetValue 5411->5413 5414 403132 5411->5414 5412->5411 5413->5414 5414->5408 5416 4031b7 5415->5416 5417 40319e 5415->5417 5416->5273 5417->5416 5444 4025ac 5417->5444 5448 40458c 5419->5448 5423 403300 5422->5423 5424 40333f 5422->5424 5425 4031e8 5423->5425 5426 40330a 5423->5426 5424->5194 5432 403254 18 API calls 5425->5432 5433 4031fc 5425->5433 5427 403334 5426->5427 5428 40331d 5426->5428 5429 4034f0 18 API calls 5427->5429 5531 4034f0 5428->5531 5435 403322 5429->5435 5430 403228 5430->5194 5432->5433 5433->5430 5434 4025ac 4 API calls 5433->5434 5434->5430 5435->5194 5438 403230 5436->5438 5437 403252 5437->5198 5438->5437 5439 4025ac 4 API calls 5438->5439 5439->5437 5544 403414 5440->5544 5443 40461e 5443->5202 5445 4025b0 5444->5445 5446 4025ba 5444->5446 5445->5446 5447 403154 4 API calls 5445->5447 5446->5416 5446->5446 5447->5446 5451 4032c4 5448->5451 5455 403278 5451->5455 5453 403288 5454 403198 4 API calls 5453->5454 5456 4032a0 5454->5456 5457 403254 5455->5457 5456->5190 5458 403274 5457->5458 5459 403258 5457->5459 5458->5453 5462 402594 5459->5462 5461 403261 5461->5453 5463 402598 5462->5463 5465 4025a2 5462->5465 5468 401fd4 5463->5468 5464 40259e 5464->5465 5466 403154 4 API calls 5464->5466 5465->5461 5465->5465 5466->5465 5469 401fe8 5468->5469 5470 401fed 5468->5470 5479 401918 RtlInitializeCriticalSection 5469->5479 5471 402012 RtlEnterCriticalSection 5470->5471 5473 40201c 5470->5473 5478 401ff1 5470->5478 5471->5473 5473->5478 5486 401ee0 5473->5486 5476 402147 5476->5464 5477 40213d RtlLeaveCriticalSection 5477->5476 5478->5464 5480 401946 5479->5480 5481 40193c RtlEnterCriticalSection 5479->5481 5482 401964 LocalAlloc 5480->5482 5481->5480 5483 40197e 5482->5483 5484 4019c3 RtlLeaveCriticalSection 5483->5484 5485 4019cd 5483->5485 5484->5485 5485->5470 5487 401ef0 5486->5487 5488 401f40 5487->5488 5489 401f1c 5487->5489 5492 401e58 5487->5492 5488->5476 5488->5477 5489->5488 5497 401d00 5489->5497 5501 4016d8 5492->5501 5495 401e75 5495->5487 5498 401d4e 5497->5498 5499 401d1e 5497->5499 5498->5499 5518 401c68 5498->5518 5499->5488 5504 4016f4 5501->5504 5502 401430 LocalAlloc VirtualAlloc VirtualFree 5502->5504 5503 4016fe 5505 4015c4 VirtualAlloc 5503->5505 5504->5502 5504->5503 5506 40175b 5504->5506 5507 40132c LocalAlloc 5504->5507 5509 40174f 5504->5509 5508 40170a 5505->5508 5506->5495 5511 401dcc 5506->5511 5507->5504 5508->5506 5510 40150c VirtualFree 5509->5510 5510->5506 5512 401d80 9 API calls 5511->5512 5513 401de0 5512->5513 5514 40132c LocalAlloc 5513->5514 5515 401df0 5514->5515 5516 401b44 9 API calls 5515->5516 5517 401df8 5515->5517 5516->5517 5517->5495 5519 401c7a 5518->5519 5520 401c9d 5519->5520 5521 401caf 5519->5521 5522 40188c LocalAlloc VirtualFree VirtualFree 5520->5522 5523 40188c LocalAlloc VirtualFree VirtualFree 5521->5523 5524 401cad 5522->5524 5523->5524 5525 401cc5 5524->5525 5526 401b44 9 API calls 5524->5526 5525->5499 5527 401cd4 5526->5527 5528 401cee 5527->5528 5529 401b98 9 API calls 5527->5529 5530 4013a0 LocalAlloc 5528->5530 5529->5528 5530->5525 5532 4034fd 5531->5532 5539 40352d 5531->5539 5534 403526 5532->5534 5535 403509 5532->5535 5533 403198 4 API calls 5538 403517 5533->5538 5536 403254 18 API calls 5534->5536 5540 4025c4 5535->5540 5536->5539 5538->5435 5539->5533 5541 4025ca 5540->5541 5542 4025dc 5541->5542 5543 403154 4 API calls 5541->5543 5542->5538 5543->5542 5545 403418 LoadLibraryA 5544->5545 5545->5443 5618 405dc8 5546->5618 5549 405708 GetSystemDefaultLCID 5553 40573e 5549->5553 5550 4031e8 18 API calls 5550->5553 5551 405164 19 API calls 5551->5553 5552 405694 19 API calls 5552->5553 5553->5550 5553->5551 5553->5552 5556 4057a0 5553->5556 5554 405164 19 API calls 5554->5556 5555 405694 19 API calls 5555->5556 5556->5554 5556->5555 5557 4031e8 18 API calls 5556->5557 5558 405823 5556->5558 5557->5556 5634 4031b8 5558->5634 5561 40584c GetSystemDefaultLCID 5638 405694 GetLocaleInfoA 5561->5638 5564 4031e8 18 API calls 5565 40588c 5564->5565 5566 405694 19 API calls 5565->5566 5567 4058a1 5566->5567 5568 405694 19 API calls 5567->5568 5569 4058c5 5568->5569 5644 4056e0 GetLocaleInfoA 5569->5644 5572 4056e0 GetLocaleInfoA 5573 4058f5 5572->5573 5574 405694 19 API calls 5573->5574 5575 40590f 5574->5575 5576 4056e0 GetLocaleInfoA 5575->5576 5577 40592c 5576->5577 5578 405694 19 API calls 5577->5578 5579 405946 5578->5579 5580 4031e8 18 API calls 5579->5580 5581 405953 5580->5581 5582 405694 19 API calls 5581->5582 5583 405968 5582->5583 5584 4031e8 18 API calls 5583->5584 5585 405975 5584->5585 5586 4056e0 GetLocaleInfoA 5585->5586 5587 405983 5586->5587 5588 405694 19 API calls 5587->5588 5589 40599d 5588->5589 5590 4031e8 18 API calls 5589->5590 5591 4059aa 5590->5591 5592 405694 19 API calls 5591->5592 5593 4059bf 5592->5593 5594 4031e8 18 API calls 5593->5594 5595 4059cc 5594->5595 5596 405694 19 API calls 5595->5596 5597 4059e1 5596->5597 5598 4059fe 5597->5598 5599 4059ef 5597->5599 5601 40322c 4 API calls 5598->5601 5600 40322c 4 API calls 5599->5600 5602 4059fc 5600->5602 5601->5602 5603 405694 19 API calls 5602->5603 5604 405a20 5603->5604 5605 405a3d 5604->5605 5606 405a2e 5604->5606 5608 403198 4 API calls 5605->5608 5607 40322c 4 API calls 5606->5607 5609 405a3b 5607->5609 5608->5609 5646 4033b4 5609->5646 5611 405a5f 5612 4033b4 18 API calls 5611->5612 5613 405a79 5612->5613 5614 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5613->5614 5615 405a93 5614->5615 5616 40617c GetVersionExA 5615->5616 5617 406193 5616->5617 5617->5138 5619 405dd4 5618->5619 5626 405164 LoadStringA 5619->5626 5622 4031e8 18 API calls 5623 405e05 5622->5623 5624 403198 4 API calls 5623->5624 5625 405e1a 5624->5625 5625->5549 5629 403278 5626->5629 5630 403254 18 API calls 5629->5630 5631 403288 5630->5631 5632 403198 4 API calls 5631->5632 5633 4032a0 5632->5633 5633->5622 5636 4031be 5634->5636 5635 4031e3 5635->5561 5636->5635 5637 4025ac 4 API calls 5636->5637 5637->5636 5639 4056bb 5638->5639 5640 4056cd 5638->5640 5642 403278 18 API calls 5639->5642 5641 40322c 4 API calls 5640->5641 5643 4056cb 5641->5643 5642->5643 5643->5564 5645 4056fc 5644->5645 5645->5572 5647 4033bc 5646->5647 5648 403254 18 API calls 5647->5648 5649 4033cf 5648->5649 5650 4031e8 18 API calls 5649->5650 5651 4033f7 5650->5651 5673 405268 5652->5673 5655 406ac0 5656 406aca 5655->5656 5657 406aed 5655->5657 5676 406dd8 5656->5676 5658 40322c 4 API calls 5657->5658 5660 406af6 5658->5660 5660->5288 5661 406ad1 5661->5657 5662 406adc 5661->5662 5681 403340 5662->5681 5664 406aea 5664->5288 5666 403414 5665->5666 5667 40748c LoadLibraryA 5666->5667 5668 4074a2 5667->5668 5669 407738 FormatMessageA 5668->5669 5670 40775e 5669->5670 5671 403278 18 API calls 5670->5671 5672 40777b 5671->5672 5672->5295 5674 4032c4 18 API calls 5673->5674 5675 405277 5674->5675 5675->5655 5677 406de3 5676->5677 5678 406ddf 5676->5678 5696 406df8 CharPrevA 5677->5696 5678->5661 5680 406df4 5680->5661 5682 403344 5681->5682 5683 4033a5 5681->5683 5684 4031e8 5682->5684 5685 40334c 5682->5685 5687 4031fc 5684->5687 5690 403254 18 API calls 5684->5690 5685->5683 5686 40335b 5685->5686 5689 4031e8 18 API calls 5685->5689 5691 403254 18 API calls 5686->5691 5688 403228 5687->5688 5692 4025ac 4 API calls 5687->5692 5688->5664 5689->5686 5690->5687 5693 403375 5691->5693 5692->5688 5694 4031e8 18 API calls 5693->5694 5695 4033a1 5694->5695 5695->5664 5696->5680 5704 406f78 5697->5704 5699 40707b 5700 40708d 5699->5700 5701 406f78 18 API calls 5699->5701 5702 403198 4 API calls 5700->5702 5701->5699 5703 4070a2 5702->5703 5703->5310 5705 406fa4 5704->5705 5706 403278 18 API calls 5705->5706 5707 406fb1 5706->5707 5714 403420 5707->5714 5709 406fb9 5710 4031e8 18 API calls 5709->5710 5711 406fd1 5710->5711 5712 403198 4 API calls 5711->5712 5713 406ff3 5712->5713 5713->5699 5715 403426 5714->5715 5717 403437 5714->5717 5716 403254 18 API calls 5715->5716 5715->5717 5716->5717 5717->5709 5719 407a2c 5718->5719 5720 407a6b CreateFileA 5719->5720 5720->5333 5722 403414 5721->5722 5723 407a6b CreateFileA 5722->5723 5723->5333 5727 4078a0 5724->5727 5728 407738 19 API calls 5727->5728 5729 4078c8 5728->5729 5730 4078e8 5729->5730 5736 40561c 5729->5736 5739 405d18 5730->5739 5733 4078f7 5734 403198 4 API calls 5733->5734 5735 407914 5734->5735 5735->5334 5743 405630 5736->5743 5740 405d1f 5739->5740 5741 4031e8 18 API calls 5740->5741 5742 405d37 5741->5742 5742->5733 5744 40564d 5743->5744 5751 4052e0 5744->5751 5747 405679 5749 403278 18 API calls 5747->5749 5750 40562b 5749->5750 5750->5730 5753 4052fb 5751->5753 5752 40530d 5752->5747 5756 40506c 5752->5756 5753->5752 5759 405402 5753->5759 5766 4052d4 5753->5766 5757 405dc8 19 API calls 5756->5757 5758 40507d 5757->5758 5758->5747 5760 405413 5759->5760 5762 405461 5759->5762 5760->5762 5763 4054e7 5760->5763 5765 40547f 5762->5765 5769 40527c 5762->5769 5763->5765 5773 4052c0 5763->5773 5765->5753 5767 403198 4 API calls 5766->5767 5768 4052de 5767->5768 5768->5753 5770 40528a 5769->5770 5776 405084 5770->5776 5772 4052b8 5772->5762 5789 4039a4 5773->5789 5779 405e38 5776->5779 5778 40509d 5778->5772 5780 405e46 5779->5780 5781 405164 19 API calls 5780->5781 5782 405e70 5781->5782 5783 40561c 33 API calls 5782->5783 5784 405e7e 5783->5784 5785 4031e8 18 API calls 5784->5785 5786 405e89 5785->5786 5787 4031b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5786->5787 5788 405ea3 5787->5788 5788->5778 5790 4039ab 5789->5790 5795 4038b4 5790->5795 5792 4039cb 5793 403198 4 API calls 5792->5793 5794 4039d2 5793->5794 5794->5765 5796 4038d5 5795->5796 5797 4038c8 5795->5797 5799 403934 5796->5799 5800 4038db 5796->5800 5798 403780 6 API calls 5797->5798 5813 4038d0 5798->5813 5801 403993 5799->5801 5802 40393b 5799->5802 5803 4038e1 5800->5803 5804 4038ee 5800->5804 5806 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5801->5806 5807 403941 5802->5807 5808 40394b 5802->5808 5809 403894 6 API calls 5803->5809 5805 403894 6 API calls 5804->5805 5810 4038fc 5805->5810 5806->5813 5811 403864 23 API calls 5807->5811 5812 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5808->5812 5809->5813 5814 4037f4 VariantClear VariantChangeTypeEx VariantChangeTypeEx 5810->5814 5811->5813 5815 40395d 5812->5815 5813->5792 5816 403917 5814->5816 5817 403864 23 API calls 5815->5817 5819 40374c VariantClear 5816->5819 5818 403976 5817->5818 5820 40374c VariantClear 5818->5820 5821 40392c 5819->5821 5822 40398b 5820->5822 5821->5792 5822->5792 5824 408187 5823->5824 5826 40817c 5823->5826 5829 408110 5824->5829 5826->5369 5828 405d18 18 API calls 5828->5826 5830 408163 5829->5830 5831 408124 5829->5831 5830->5826 5830->5828 5831->5830 5833 408060 5831->5833 5834 40806b 5833->5834 5837 40807c 5833->5837 5835 405d18 18 API calls 5834->5835 5835->5837 5836 407954 34 API calls 5838 408090 5836->5838 5837->5836 5839 407954 34 API calls 5838->5839 5840 4080b1 5839->5840 5841 407dcc InterlockedExchange 5840->5841 5842 4080c6 5841->5842 5843 4080dc 5842->5843 5844 405d18 18 API calls 5842->5844 5843->5831 5844->5843 5846 407d8a 5845->5846 5847 407d9b 5845->5847 5848 407d8f InterlockedExchange 5846->5848 5847->5159 5848->5847 6611 4024d0 6612 4024e4 6611->6612 6613 4024e9 6611->6613 6614 401918 4 API calls 6612->6614 6615 402518 6613->6615 6616 40250e RtlEnterCriticalSection 6613->6616 6618 4024ed 6613->6618 6614->6613 6626 402300 6615->6626 6616->6615 6620 402525 6622 402581 6620->6622 6623 402577 RtlLeaveCriticalSection 6620->6623 6621 401fd4 14 API calls 6624 402531 6621->6624 6623->6622 6624->6620 6636 40215c 6624->6636 6627 402314 6626->6627 6628 402335 6627->6628 6629 4023b8 6627->6629 6630 402344 6628->6630 6650 401b74 6628->6650 6629->6630 6632 402455 6629->6632 6653 401d80 6629->6653 6657 401e84 6629->6657 6630->6620 6630->6621 6632->6630 6635 401d00 9 API calls 6632->6635 6635->6630 6637 40217a 6636->6637 6638 402175 6636->6638 6640 4021ab RtlEnterCriticalSection 6637->6640 6641 4021b5 6637->6641 6644 40217e 6637->6644 6639 401918 4 API calls 6638->6639 6639->6637 6640->6641 6642 402244 6641->6642 6643 4021c1 6641->6643 6648 402270 6641->6648 6642->6644 6647 401d80 7 API calls 6642->6647 6645 4022e3 RtlLeaveCriticalSection 6643->6645 6646 4022ed 6643->6646 6644->6620 6645->6646 6646->6620 6647->6644 6648->6643 6649 401d00 7 API calls 6648->6649 6649->6643 6651 40215c 9 API calls 6650->6651 6652 401b95 6651->6652 6652->6630 6654 401d89 6653->6654 6656 401d92 6653->6656 6655 401b74 9 API calls 6654->6655 6654->6656 6655->6656 6656->6629 6662 401768 6657->6662 6659 401e99 6660 401dcc 9 API calls 6659->6660 6661 401ea6 6659->6661 6660->6661 6661->6629 6664 401787 6662->6664 6663 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6663->6664 6664->6663 6665 40183b 6664->6665 6666 40132c LocalAlloc 6664->6666 6668 401821 6664->6668 6670 4017d6 6664->6670 6671 4017e7 6665->6671 6677 4015c4 6665->6677 6666->6664 6669 40150c VirtualFree 6668->6669 6669->6671 6673 40150c 6670->6673 6671->6659 6674 40153b 6673->6674 6675 401594 6674->6675 6676 401568 VirtualFree 6674->6676 6675->6671 6676->6674 6679 40160a 6677->6679 6678 40163a 6678->6671 6679->6678 6680 401626 VirtualAlloc 6679->6680 6680->6678 6680->6679 6681 4028d2 6682 4028da 6681->6682 6683 403554 4 API calls 6682->6683 6684 4028ef 6682->6684 6683->6682 6685 4025ac 4 API calls 6684->6685 6686 4028f4 6685->6686 6687 4094d2 6688 4094c4 6687->6688 6689 409460 Wow64RevertWow64FsRedirection 6688->6689 6690 4094cc 6689->6690 7043 4019d3 7044 4019ba 7043->7044 7045 4019c3 RtlLeaveCriticalSection 7044->7045 7046 4019cd 7044->7046 7045->7046 6691 4094d4 SetLastError 6692 4094dd 6691->6692 5945 407bd6 5947 407bd8 5945->5947 5946 407b90 WriteFile 5948 407ba3 5946->5948 5949 407b9c 5946->5949 5947->5946 5953 407c94 5947->5953 5951 407bb4 5948->5951 5952 4078a0 34 API calls 5948->5952 5950 407940 35 API calls 5949->5950 5950->5948 5952->5951 5849 407ae0 ReadFile 5850 407b00 5849->5850 5851 407b17 5849->5851 5852 407b10 5850->5852 5853 407b06 GetLastError 5850->5853 5854 407940 35 API calls 5852->5854 5853->5851 5853->5852 5854->5851 7050 4075e2 7051 4075cc 7050->7051 7052 403198 4 API calls 7051->7052 7053 4075d4 7052->7053 7054 403198 4 API calls 7053->7054 7055 4075dc 7054->7055 7056 4093e4 7059 4092b0 7056->7059 7060 4092b9 7059->7060 7061 403198 4 API calls 7060->7061 7062 4092c7 7060->7062 7061->7060 7063 4055e8 7064 4055fb 7063->7064 7065 4052e0 33 API calls 7064->7065 7066 40560f 7065->7066 7067 402be9 RaiseException 7068 402c04 7067->7068 6693 40acec 6694 40ad11 6693->6694 6695 409e14 29 API calls 6694->6695 6698 40ad16 6695->6698 6696 40ad69 6727 4026c4 GetSystemTime 6696->6727 6698->6696 6702 40928c 18 API calls 6698->6702 6699 40ad6e 6700 409808 46 API calls 6699->6700 6701 40ad76 6700->6701 6703 4031e8 18 API calls 6701->6703 6704 40ad45 6702->6704 6705 40ad83 6703->6705 6707 40ad4d MessageBoxA 6704->6707 6706 406db0 19 API calls 6705->6706 6708 40ad90 6706->6708 6707->6696 6709 40ad5a 6707->6709 6710 406b48 19 API calls 6708->6710 6711 405cec 19 API calls 6709->6711 6712 40ada0 6710->6712 6711->6696 6713 406ac0 19 API calls 6712->6713 6714 40adb1 6713->6714 6715 403340 18 API calls 6714->6715 6716 40adbf 6715->6716 6717 4031e8 18 API calls 6716->6717 6718 40adcf 6717->6718 6719 407994 37 API calls 6718->6719 6720 40ae0e 6719->6720 6721 402594 18 API calls 6720->6721 6722 40ae2e 6721->6722 6723 407edc 19 API calls 6722->6723 6724 40ae70 6723->6724 6725 40816c 35 API calls 6724->6725 6726 40ae97 6725->6726 6727->6699 6732 402af2 6733 402afe 6732->6733 6736 402ed0 6733->6736 6737 403154 4 API calls 6736->6737 6739 402ee0 6737->6739 6738 402b03 6739->6738 6741 402b0c 6739->6741 6742 402b25 6741->6742 6743 402b15 RaiseException 6741->6743 6742->6738 6743->6742 7079 402dfa 7080 402e0d 7079->7080 7082 402e26 7079->7082 7083 402ba4 7080->7083 7084 402bc9 7083->7084 7085 402bad 7083->7085 7084->7082 7086 402bb5 RaiseException 7085->7086 7086->7084 6347 4079fc 6348 407a08 CloseHandle 6347->6348 6349 407a11 6347->6349 6348->6349 6754 403a80 CloseHandle 6755 403a90 6754->6755 6756 403a91 GetLastError 6754->6756 6757 404283 6758 4042c3 6757->6758 6759 403154 4 API calls 6758->6759 6760 404323 6759->6760 7087 404185 7088 4041ff 7087->7088 7089 403154 4 API calls 7088->7089 7090 4041cc 7088->7090 7091 404323 7089->7091 6761 403e87 6762 403e4c 6761->6762 6763 403e62 6762->6763 6764 403e7b 6762->6764 6766 403e67 6762->6766 6765 403cc8 4 API calls 6763->6765 6767 402674 4 API calls 6764->6767 6765->6766 6768 403e78 6766->6768 6769 402674 4 API calls 6766->6769 6767->6768 6769->6768 6299 408488 6300 40849a 6299->6300 6302 4084a1 6299->6302 6310 4083c4 6300->6310 6303 4084c9 6302->6303 6304 4084cb 6302->6304 6308 4084d5 6302->6308 6324 4082e0 6303->6324 6321 408230 6304->6321 6305 408502 6307 408230 33 API calls 6307->6305 6308->6305 6308->6307 6311 4083d9 6310->6311 6312 408230 33 API calls 6311->6312 6313 4083e8 6311->6313 6312->6313 6314 408422 6313->6314 6315 408230 33 API calls 6313->6315 6316 408436 6314->6316 6317 408230 33 API calls 6314->6317 6315->6314 6320 408462 6316->6320 6331 40836c 6316->6331 6317->6316 6320->6302 6334 405d4c 6321->6334 6323 408252 6323->6308 6325 40561c 33 API calls 6324->6325 6326 40830b 6325->6326 6342 408298 6326->6342 6328 408313 6329 403198 4 API calls 6328->6329 6330 408328 6329->6330 6330->6308 6332 40837b VirtualFree 6331->6332 6333 40838d VirtualAlloc 6331->6333 6332->6333 6333->6320 6335 405d58 6334->6335 6336 40561c 33 API calls 6335->6336 6337 405d85 6336->6337 6338 4031e8 18 API calls 6337->6338 6339 405d90 6338->6339 6340 403198 4 API calls 6339->6340 6341 405da5 6340->6341 6341->6323 6343 405d4c 33 API calls 6342->6343 6344 4082ba 6343->6344 6344->6328 6350 40af8d 6351 40af90 SetLastError 6350->6351 6381 409b20 GetLastError 6351->6381 6354 40afaa 6356 40afb4 CreateWindowExA SetWindowLongA 6354->6356 6355 402f24 5 API calls 6355->6354 6357 40561c 33 API calls 6356->6357 6358 40b037 6357->6358 6359 4032fc 18 API calls 6358->6359 6360 40b045 6359->6360 6361 4032fc 18 API calls 6360->6361 6362 40b052 6361->6362 6394 407004 GetCommandLineA 6362->6394 6365 4032fc 18 API calls 6366 40b067 6365->6366 6401 409ec4 6366->6401 6369 409da4 19 API calls 6370 40b08c 6369->6370 6371 40b0c5 6370->6371 6417 4099b0 6370->6417 6373 40b0de 6371->6373 6377 40b0d8 RemoveDirectoryA 6371->6377 6374 40b0f2 6373->6374 6375 40b0e7 DestroyWindow 6373->6375 6376 40b11a 6374->6376 6425 40357c 6374->6425 6375->6374 6377->6373 6379 40b110 6380 4025ac 4 API calls 6379->6380 6380->6376 6382 40511c 33 API calls 6381->6382 6383 409b67 6382->6383 6384 407738 19 API calls 6383->6384 6385 409b77 6384->6385 6386 40925c 18 API calls 6385->6386 6387 409b8c 6386->6387 6388 405d18 18 API calls 6387->6388 6389 409b9b 6388->6389 6390 4031b8 4 API calls 6389->6390 6391 409bba 6390->6391 6392 403198 4 API calls 6391->6392 6393 409bc2 6392->6393 6393->6354 6393->6355 6395 406f78 18 API calls 6394->6395 6396 407029 6395->6396 6397 4032c4 18 API calls 6396->6397 6398 407032 6397->6398 6399 403198 4 API calls 6398->6399 6400 407047 6399->6400 6400->6365 6402 4033b4 18 API calls 6401->6402 6403 409eff 6402->6403 6404 409f31 CreateProcessA 6403->6404 6405 409f44 CloseHandle 6404->6405 6406 409f3d 6404->6406 6408 409f4d 6405->6408 6407 409b20 35 API calls 6406->6407 6407->6405 6438 409e98 6408->6438 6411 409f69 6412 409e98 3 API calls 6411->6412 6413 409f6e GetExitCodeProcess CloseHandle 6412->6413 6414 409f8e 6413->6414 6415 403198 4 API calls 6414->6415 6416 409f96 6415->6416 6416->6369 6416->6370 6418 409a0a 6417->6418 6420 4099c3 6417->6420 6418->6371 6419 4099cb Sleep 6419->6420 6420->6418 6420->6419 6421 4099db Sleep 6420->6421 6423 4099f2 GetLastError 6420->6423 6442 409470 6420->6442 6421->6420 6423->6418 6424 4099fc GetLastError 6423->6424 6424->6418 6424->6420 6426 403591 6425->6426 6427 4035a0 6425->6427 6428 4035b6 6426->6428 6431 40359b 6426->6431 6436 4035d0 6426->6436 6429 4035b1 6427->6429 6430 4035b8 6427->6430 6428->6379 6432 403198 4 API calls 6429->6432 6433 4031b8 4 API calls 6430->6433 6431->6427 6435 4035ec 6431->6435 6432->6428 6433->6428 6434 40357c 4 API calls 6434->6436 6435->6428 6450 403554 6435->6450 6436->6428 6436->6434 6439 409eac PeekMessageA 6438->6439 6440 409ea0 TranslateMessage DispatchMessageA 6439->6440 6441 409ebe MsgWaitForMultipleObjects 6439->6441 6440->6439 6441->6408 6441->6411 6443 409424 2 API calls 6442->6443 6444 409486 6443->6444 6445 40948a 6444->6445 6446 4094a6 DeleteFileA GetLastError 6444->6446 6445->6420 6447 4094c4 6446->6447 6448 409460 Wow64RevertWow64FsRedirection 6447->6448 6449 4094cc 6448->6449 6449->6420 6451 403566 6450->6451 6453 403578 6451->6453 6454 403604 6451->6454 6453->6435 6455 40357c 6454->6455 6458 4035d0 6455->6458 6459 40359b 6455->6459 6462 4035a0 6455->6462 6464 4035b6 6455->6464 6456 4035b1 6460 403198 4 API calls 6456->6460 6457 4035b8 6461 4031b8 4 API calls 6457->6461 6458->6464 6465 40357c 4 API calls 6458->6465 6459->6462 6463 4035ec 6459->6463 6460->6464 6461->6464 6462->6456 6462->6457 6463->6464 6466 403554 4 API calls 6463->6466 6464->6451 6465->6458 6466->6463 7096 403991 7097 403983 7096->7097 7098 40374c VariantClear 7097->7098 7099 40398b 7098->7099 6779 403a97 6780 403aac 6779->6780 6781 403bbc GetStdHandle 6780->6781 6782 403b0e CreateFileA 6780->6782 6792 403ab2 6780->6792 6783 403c17 GetLastError 6781->6783 6787 403bba 6781->6787 6782->6783 6784 403b2c 6782->6784 6783->6792 6786 403b3b GetFileSize 6784->6786 6784->6787 6786->6783 6788 403b4e SetFilePointer 6786->6788 6789 403be7 GetFileType 6787->6789 6787->6792 6788->6783 6793 403b6a ReadFile 6788->6793 6791 403c02 CloseHandle 6789->6791 6789->6792 6791->6792 6793->6783 6794 403b8c 6793->6794 6794->6787 6795 403b9f SetFilePointer 6794->6795 6795->6783 6796 403bb0 SetEndOfFile 6795->6796 6796->6783 6796->6787 6809 402caa 6810 403154 4 API calls 6809->6810 6811 402caf 6810->6811 6812 4028ac 6813 402594 18 API calls 6812->6813 6814 4028b6 6813->6814 6815 407aae GetFileSize 6816 407ada 6815->6816 6817 407aca GetLastError 6815->6817 6817->6816 6818 407ad3 6817->6818 6819 407940 35 API calls 6818->6819 6819->6816 5931 40aeb6 5932 40aedb 5931->5932 5933 407dcc InterlockedExchange 5932->5933 5934 40af05 5933->5934 5935 409fc0 18 API calls 5934->5935 5936 40af15 5934->5936 5935->5936 5941 407b60 SetEndOfFile 5936->5941 5938 40af31 5939 4025ac 4 API calls 5938->5939 5940 40af68 5939->5940 5942 407b70 5941->5942 5943 407b77 5941->5943 5944 407940 35 API calls 5942->5944 5943->5938 5944->5943 6830 401ab9 6831 401a96 6830->6831 6832 401aa9 RtlDeleteCriticalSection 6831->6832 6833 401a9f RtlLeaveCriticalSection 6831->6833 6833->6832

                                                                                    Executed Functions

                                                                                    Function 00404654 Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 0040466F
                                                                                    • GetVersion.KERNEL32(kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 00404676
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048D8
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048EE
                                                                                    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,00404911,?,?,?,?,00000000,?,0040AAF0), ref: 004048F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                                                    • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                    • API String ID: 3297890031-1119018034
                                                                                    • Opcode ID: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
                                                                                    • Instruction ID: 8135fb14ee81180893b1f543c3a29e932c16cf19254b5bff3906bd7e71ea8aa3
                                                                                    • Opcode Fuzzy Hash: cc6ab64b48d02d140d73cec505fdc132eff82ff6553fc21a046d343f04ece132
                                                                                    • Instruction Fuzzy Hash: 9D611270600159AFDB00FBF6DA8398E77A89F80305B2045BBA604772D6D778EF059B5D
                                                                                    Function 0040A050 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 237 40a050-40a074 GetSystemInfo VirtualQuery 238 40a104-40a10b 237->238 239 40a07a 237->239 240 40a0f9-40a0fe 239->240 240->238 241 40a07c-40a083 240->241 242 40a0e5-40a0f7 VirtualQuery 241->242 243 40a085-40a089 241->243 242->238 242->240 243->242 244 40a08b-40a093 243->244 245 40a0a4-40a0b5 VirtualProtect 244->245 246 40a095-40a098 244->246 248 40a0b7 245->248 249 40a0b9-40a0bb 245->249 246->245 247 40a09a-40a09d 246->247 247->245 251 40a09f-40a0a2 247->251 248->249 250 40a0ca-40a0cd 249->250 252 40a0bd-40a0c6 call 40a048 250->252 253 40a0cf-40a0d1 250->253 251->245 251->249 252->250 253->242 255 40a0d3-40a0e0 VirtualProtect 253->255 255->242
                                                                                    APIs
                                                                                    • GetSystemInfo.KERNEL32(?), ref: 0040A062
                                                                                    • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A06D
                                                                                    • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0AE
                                                                                    • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0E0
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2441996862-0
                                                                                    • Opcode ID: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
                                                                                    • Instruction ID: d22f8a83843956dcd0f1bd3c30f31cd8ee5be065fb893754064b45e2edc0d12d
                                                                                    • Opcode Fuzzy Hash: e53a58f787b0994d942b1301a25b776e5790cc469dae4f0c0141b44a09a1105d
                                                                                    • Instruction Fuzzy Hash: 8921AEB12003086BD630DE998D85E6BB3D8DF85354F04483AF685E33C2D77DE864966A
                                                                                    Function 00405694 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
                                                                                    • Instruction ID: 16534491fad4532095b25154bcfa4eb159586e841354a195c3175f568a425c49
                                                                                    • Opcode Fuzzy Hash: 1c8cef5e7bc5498290c3f938cca84698e8f49793df951a569bfd97285a3601f8
                                                                                    • Instruction Fuzzy Hash: 4DE0D87170021827D710A9699C86EFB725CE758310F4006BFB908E73C2EDB59E8046ED
                                                                                    Function 0040AF8D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • SetLastError.KERNEL32 ref: 0040AF99
                                                                                      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,02157E5C), ref: 00409B44
                                                                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
                                                                                    • SetWindowLongA.USER32(00020434,000000FC,00409E38), ref: 0040AFED
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
                                                                                    • DestroyWindow.USER32(00020434,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                    • API String ID: 3757039580-3001827809
                                                                                    • Opcode ID: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
                                                                                    • Instruction ID: e11106d591c480187276ddc099787e7d0131364ad6526c401ab361da32b03a0a
                                                                                    • Opcode Fuzzy Hash: 779aa3cc042d1ecda5eecd5a957243857221684a4f0e841bdcf92309e10b5571
                                                                                    • Instruction Fuzzy Hash: AB412F70E006049BD711EBE9EE86B6937A4EB58304F10417BF114BB2E2C7B89C05CB9D
                                                                                    Function 00409558 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 0040957A
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409580
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616,?,?,?,?,00000000,00000000,?,0040AB04), ref: 00409594
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040959A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                    • API String ID: 1646373207-2130885113
                                                                                    • Opcode ID: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
                                                                                    • Instruction ID: a26a6a73124c26f393fcd3150f7a0ae21a729c0721f3e308dc05a8b68c4216e4
                                                                                    • Opcode Fuzzy Hash: a877c76c9fc41a234e825ecf500836d7dc2a3ebdee614a9ba8f5c15843239161
                                                                                    • Instruction Fuzzy Hash: AD119170908244BEDB00FBA6CD02B497BA8DB85704F20447BB500762D3CA7D5D08DA2D
                                                                                    Function 0040AF7A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AFD6
                                                                                    • SetWindowLongA.USER32(00020434,000000FC,00409E38), ref: 0040AFED
                                                                                      • Part of subcall function 00407004: GetCommandLineA.KERNEL32(00000000,00407048,?,?,?,?,00000000,?,0040B05E,?), ref: 0040701C
                                                                                      • Part of subcall function 00409EC4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02157E5C,00409FB0,00000000,00409F97), ref: 00409F34
                                                                                      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02157E5C,00409FB0,00000000), ref: 00409F48
                                                                                      • Part of subcall function 00409EC4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
                                                                                      • Part of subcall function 00409EC4: GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
                                                                                      • Part of subcall function 00409EC4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02157E5C,00409FB0), ref: 00409F7C
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
                                                                                    • DestroyWindow.USER32(00020434,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                    • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                    • API String ID: 3586484885-3001827809
                                                                                    • Opcode ID: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
                                                                                    • Instruction ID: 2c50bf805cbcaae07aef26e9318175051bf4a01897437c95b2245b611fc910e4
                                                                                    • Opcode Fuzzy Hash: 2e3aa86d138e90c5b86658206792da66739f20ef7896738f1a5b938c9a18691c
                                                                                    • Instruction Fuzzy Hash: A6413B71A106049FD710EBE9EE96B6937E4EB58304F10427AF514BB2E1D7B89C04CB9C
                                                                                    Function 00409EC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02157E5C,00409FB0,00000000,00409F97), ref: 00409F34
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02157E5C,00409FB0,00000000), ref: 00409F48
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F61
                                                                                    • GetExitCodeProcess.KERNEL32(?,0040C244), ref: 00409F73
                                                                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409FBC,02157E5C,00409FB0), ref: 00409F7C
                                                                                      • Part of subcall function 00409B20: GetLastError.KERNEL32(00000000,00409BC3,?,0040C244,?,02157E5C), ref: 00409B44
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                    • String ID: D
                                                                                    • API String ID: 3356880605-2746444292
                                                                                    • Opcode ID: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
                                                                                    • Instruction ID: 5612ed86ad08d4bddb5d15266d7073179e0372755be9feb1331a68d3317c9ad6
                                                                                    • Opcode Fuzzy Hash: 38633e948b603c813f450b03e218898c53e69348259ca8204e0d5802e89edcbc
                                                                                    • Instruction Fuzzy Hash: 57114FB16442096EDB00EBE6CC52F9FB7ACEF49718F50007BB604F72C6DA789D048669
                                                                                    Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 218 4019dc-4019e7 219 401abb-401abd 218->219 220 4019ed-401a02 218->220 221 401a04-401a09 RtlEnterCriticalSection 220->221 222 401a0e-401a2d LocalFree 220->222 221->222 223 401a41-401a47 222->223 224 401a49-401a6e call 4012dc * 3 223->224 225 401a2f-401a3f VirtualFree 223->225 232 401a70-401a85 LocalFree 224->232 233 401a87-401a9d 224->233 225->223 232->232 232->233 235 401aa9-401ab3 RtlDeleteCriticalSection 233->235 236 401a9f-401aa4 RtlLeaveCriticalSection 233->236 236->235
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
                                                                                    • RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 3782394904-0
                                                                                    • Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
                                                                                    • Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
                                                                                    • Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
                                                                                    • Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D
                                                                                    Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 257 403d02-403d10 258 403d12-403d19 257->258 259 403d29-403d30 257->259 260 403ddf-403de5 ExitProcess 258->260 261 403d1f 258->261 262 403d32-403d3c 259->262 263 403d3e-403d45 259->263 261->259 266 403d21-403d23 261->266 262->259 264 403d47-403d51 263->264 265 403db8-403dcc call 403cc8 * 2 call 4019dc 263->265 268 403d56-403d62 264->268 282 403dd1-403dd8 265->282 266->259 270 403dea-403e19 call 4030b4 266->270 268->268 271 403d64-403d6e 268->271 275 403d73-403d84 271->275 275->275 278 403d86-403d8d 275->278 280 403da4-403db3 call 403fe4 call 403f67 278->280 281 403d8f-403da2 MessageBoxA 278->281 280->265 281->265 282->270 284 403dda call 4030b4 282->284 284->260
                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                    • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitMessageProcess
                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                    • API String ID: 1220098344-2970929446
                                                                                    • Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                                                    • Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
                                                                                    • Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                                                    • Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E
                                                                                    Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 288 401918-40193a RtlInitializeCriticalSection 289 401946-40197c call 4012dc * 3 LocalAlloc 288->289 290 40193c-401941 RtlEnterCriticalSection 288->290 297 4019ad-4019c1 289->297 298 40197e 289->298 290->289 302 4019c3-4019c8 RtlLeaveCriticalSection 297->302 303 4019cd 297->303 299 401983-401995 298->299 299->299 301 401997-4019a6 299->301 301->297 302->303
                                                                                    APIs
                                                                                    • RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                    • RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                    • String ID:
                                                                                    • API String ID: 730355536-0
                                                                                    • Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                                                    • Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
                                                                                    • Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                                                    • Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D
                                                                                    Function 0040ACEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message
                                                                                    • String ID: .tmp$xz@
                                                                                    • API String ID: 2030045667-184514067
                                                                                    • Opcode ID: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
                                                                                    • Instruction ID: cd6e40cb12cf75a94289ddc930eeb34ae46a26edf5cb602d02798e23291f977e
                                                                                    • Opcode Fuzzy Hash: 73bde8918a24a77bea396c0e21e9449f08e0d1092fa56e2cd179e8c652837428
                                                                                    • Instruction Fuzzy Hash: B641C574B006009FD301EFA5DE92A6A77A5EB59704B10443BF800BB7E1CA79AC14CBAD
                                                                                    Function 0040AD07 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD50
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message
                                                                                    • String ID: .tmp$xz@
                                                                                    • API String ID: 2030045667-184514067
                                                                                    • Opcode ID: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
                                                                                    • Instruction ID: 53719d66007282c5495c6098f99a266dc5e357c3cd51cf55fd0a3e0a4036c937
                                                                                    • Opcode Fuzzy Hash: 245864c1a257ed0c967638b67db9bb329bbae4f50c3bb27b4eac2111c384816e
                                                                                    • Instruction Fuzzy Hash: B441C974B006009FC701EFA5DE92A5A77A5EB59704B10443BF800BB3E1CBB9AC04CBAD
                                                                                    Function 00409808 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040984E
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,004098F7,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409857
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: .tmp
                                                                                    • API String ID: 1375471231-2986845003
                                                                                    • Opcode ID: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
                                                                                    • Instruction ID: 99036c105fdce8595ace9a271e3c35a9b263f9a60d6b8e91bf220d2a738da6a3
                                                                                    • Opcode Fuzzy Hash: 960547cf70513a17951bf964015fc0181e1b4ea2f4ac03f8a12b0497a0fc638c
                                                                                    • Instruction Fuzzy Hash: 9F216775A10208ABDB00FFA5C8529DFB7B8EF84304F50457BE501B7382DA7C9E058BA9
                                                                                    Function 004099B0 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 429 4099b0-4099c1 430 4099c3-4099c4 429->430 431 409a0a-409a0f 429->431 432 4099c6-4099c9 430->432 433 4099d6-4099d9 432->433 434 4099cb-4099d4 Sleep 432->434 435 4099e4-4099e9 call 409470 433->435 436 4099db-4099df Sleep 433->436 434->435 438 4099ee-4099f0 435->438 436->435 438->431 439 4099f2-4099fa GetLastError 438->439 439->431 440 4099fc-409a04 GetLastError 439->440 440->431 441 409a06-409a08 440->441 441->431 441->432
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099CF
                                                                                    • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099DF
                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099F2
                                                                                    • GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099FC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
                                                                                    • Instruction ID: eb7512966d821cc35779f37d74516ce45850f6d6c39c5245c2e713911e3afcfa
                                                                                    • Opcode Fuzzy Hash: c7bd6a21121ddb9efccb4cc95de40b345340be1ee537211c691cca6293df28a9
                                                                                    • Instruction Fuzzy Hash: F9F0BBB27012986BCB24A5AE8C86A6FB348EAD1358710403FF504F7393D439DC0156A9
                                                                                    Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 507 401fd4-401fe6 508 401fe8 call 401918 507->508 509 401ffb-402010 507->509 515 401fed-401fef 508->515 510 402012-402017 RtlEnterCriticalSection 509->510 511 40201c-402025 509->511 510->511 513 402027 511->513 514 40202c-402032 511->514 513->514 516 402038-40203c 514->516 517 4020cb-4020d1 514->517 515->509 518 401ff1-401ff6 515->518 521 402041-402050 516->521 522 40203e 516->522 519 4020d3-4020e0 517->519 520 40211d-40211f call 401ee0 517->520 523 40214f-402158 518->523 524 4020e2-4020ea 519->524 525 4020ef-40211b call 402f54 519->525 531 402124-40213b 520->531 521->517 526 402052-402060 521->526 522->521 524->525 525->523 529 402062-402066 526->529 530 40207c-402080 526->530 533 402068 529->533 534 40206b-40207a 529->534 536 402082 530->536 537 402085-4020a0 530->537 538 402147 531->538 539 40213d-402142 RtlLeaveCriticalSection 531->539 533->534 540 4020a2-4020c6 call 402f54 534->540 536->537 537->540 539->538 540->523
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017
                                                                                      • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                      • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                      • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                      • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                    • String ID:
                                                                                    • API String ID: 296031713-0
                                                                                    • Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                                                    • Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
                                                                                    • Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                                                    • Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48
                                                                                    Function 00409470 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,004094CD,?,0000000D,00000000), ref: 004094A7
                                                                                    • GetLastError.KERNEL32(00000000,00000000,004094CD,?,0000000D,00000000), ref: 004094AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 2018770650-0
                                                                                    • Opcode ID: c0db1d20fd31e541160b63e3497e325e130249f4291eb920d6e73b2757d25af2
                                                                                    • Instruction ID: 3ecb5528e430a0dbfb16afca1391696119c8a93f01f942fa518b6202f59a1a87
                                                                                    • Opcode Fuzzy Hash: c0db1d20fd31e541160b63e3497e325e130249f4291eb920d6e73b2757d25af2
                                                                                    • Instruction Fuzzy Hash: BCF0C871A18608AFCB01DF759C4149DB3E8EB4831475045B7F814F36C3E6385E018598
                                                                                    Function 00407454 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 0040745E
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,004074A8,?,00000000,004074C6,?,00008000), ref: 0040748D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: 4793b56485230e99785aeb9e6ac2a80ce95304a0516f2feb538f0725514c6551
                                                                                    • Instruction ID: a630936203178071a9ee71a4306d19d7bf0886e547c0eed2c6a3f5d1fd0b17c9
                                                                                    • Opcode Fuzzy Hash: 4793b56485230e99785aeb9e6ac2a80ce95304a0516f2feb538f0725514c6551
                                                                                    • Instruction Fuzzy Hash: B9F08270A14704BEDB125F768C5282ABEACEB49B1475388B6F900A26D2E53C5820C569
                                                                                    Function 0040B127 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0D9
                                                                                    • DestroyWindow.USER32(00020434,0040B12C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B0ED
                                                                                      • Part of subcall function 004099B0: Sleep.KERNEL32(?,?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099CF
                                                                                      • Part of subcall function 004099B0: GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099F2
                                                                                      • Part of subcall function 004099B0: GetLastError.KERNEL32(?,?,?,0000000D,?,0040B0C5,000000FA,00000032,0040B12C), ref: 004099FC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2192421792-0
                                                                                    • Opcode ID: 749a3a76f0822e3b0378f1cfdf6566d6ecf3ce6e9571a6def38d7042e2bc1528
                                                                                    • Instruction ID: c4257d42d2f8726f3081f51206accfa845b32ba07db0e0e129925ba9990b842b
                                                                                    • Opcode Fuzzy Hash: 749a3a76f0822e3b0378f1cfdf6566d6ecf3ce6e9571a6def38d7042e2bc1528
                                                                                    • Instruction Fuzzy Hash: D9F0E170A119009BD725EFA9EE9A72632E5E7A4305F04413AA104BF2F1C7BD9C48CA8D
                                                                                    Function 00407AE0 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407AF7
                                                                                    • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407B06
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastRead
                                                                                    • String ID:
                                                                                    • API String ID: 1948546556-0
                                                                                    • Opcode ID: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
                                                                                    • Instruction ID: e6678645df70ceda1296de0698669a3f17118b423087409050d1bdfb176b5629
                                                                                    • Opcode Fuzzy Hash: 5c17caa541fddce76649cc04805944c392fc8533b1365d2e374aefba6a6f009b
                                                                                    • Instruction Fuzzy Hash: 33E092B17081106AEB20A65E9884F6767ECCBC5368F04457BF608DB286D678EC008377
                                                                                    Function 00407B20 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B3F
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B47
                                                                                      • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021403AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 1156039329-0
                                                                                    • Opcode ID: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
                                                                                    • Instruction ID: e41e806bfeb234626b87b501edff7cf6b7d3219fcc40cd55b05b53632260e4a9
                                                                                    • Opcode Fuzzy Hash: 5d72a474d6866116df7c50e7d91214adeba9db5fc19ecb02cee2fd0cbf9ab777
                                                                                    • Instruction Fuzzy Hash: BDE092767082005BD610E55EC881F9B33DCDFC5368F004137B658EB1D1DA75A8008366
                                                                                    Function 00407A78 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A8F
                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A9B
                                                                                      • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021403AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 1156039329-0
                                                                                    • Opcode ID: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
                                                                                    • Instruction ID: 5d7889b2766bb560f48239758183442fe2ff1acd2572488175a49b0c159bb46e
                                                                                    • Opcode Fuzzy Hash: 376b7221faa1d9c8226b04aa14be382687234a7c39477bd240d3c8d17531cd0a
                                                                                    • Instruction Fuzzy Hash: 57E04FB16002109FEB20EEB98981B5673D89F44364F048576E614DF2C6D378DC008B66
                                                                                    Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 2087232378-0
                                                                                    • Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
                                                                                    • Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
                                                                                    • Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
                                                                                    • Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9
                                                                                    Function 00407BD6 Relevance: 1.8, APIs: 1, Instructions: 279fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
                                                                                    • Instruction ID: 1ffe8940fb0bba7a1c466ab1a63027f62bf18732910125c6c2e91df4c90979d7
                                                                                    • Opcode Fuzzy Hash: dc8f9862481319be3bdbd5661d3fcc7de93382422b7ff2ce1cd8379c78404356
                                                                                    • Instruction Fuzzy Hash: 7351B12084E2910FDB125B7459A85A13FA1FF5331532A52FBC4D2AB1E3D27CA847835F
                                                                                    Function 00405708 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,0040583E), ref: 00405727
                                                                                      • Part of subcall function 00405164: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405181
                                                                                      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1658689577-0
                                                                                    • Opcode ID: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
                                                                                    • Instruction ID: c7d7bdc64998b5a50f072f8a8ba779086e7d05f386a85bc6535a333606642bb6
                                                                                    • Opcode Fuzzy Hash: 9ba8296990a72112227324fa3ee9fcc0b1e9336ed56d3b895413b02212f8560e
                                                                                    • Instruction Fuzzy Hash: 05315075E00509ABCF00DF95C8819EEB379FF84304F548977E815BB285E739AE068B94
                                                                                    Function 00407A2A Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
                                                                                    • Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
                                                                                    • Opcode Fuzzy Hash: d70932e6098281890bada4fb0cb49f00060c997d215399a4c6e17c77cbc25981
                                                                                    • Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8
                                                                                    Function 00406E64 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00406EAC,?,?,?,?,00000000,?,00406EC1,0040721B,00000000,00407260,?,?,?), ref: 00406E8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
                                                                                    • Instruction ID: 7ab40f028fd3c5f14a353e55118c7c81c89abefc65ec3810316971f178424404
                                                                                    • Opcode Fuzzy Hash: 24e4b9a91e1daf3bf67ed32386f94fc4a36e54d9486d967fbff76b5f6006ff24
                                                                                    • Instruction Fuzzy Hash: 21E06D35204704BFD701EEA2DD52A5ABBACDB89B04BA24476F501A6682D6796E1084A8
                                                                                    Function 00407A2C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A6C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
                                                                                    • Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
                                                                                    • Opcode Fuzzy Hash: 9c11b2a4cf94016adbe46f41987ce67f399dd20175b5552a4b2bfc50b96cd780
                                                                                    • Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8
                                                                                    Function 00407B7C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B93
                                                                                      • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021403AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastWrite
                                                                                    • String ID:
                                                                                    • API String ID: 442123175-0
                                                                                    • Opcode ID: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
                                                                                    • Instruction ID: 9cacba7c6654c632647ec303d4b17c56949909c1fcff6adca1bc3dcca5067dcb
                                                                                    • Opcode Fuzzy Hash: c995ec0617991e2e94a6585707192c72dfa586fe6c201feb7b9ef6767feef1e5
                                                                                    • Instruction Fuzzy Hash: 52E0ED726081106BEB10E65A9984E9777ECDFC5364F00407BB648DB241D578AC058676
                                                                                    Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095FB,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 00407757
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FormatMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1306739567-0
                                                                                    • Opcode ID: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
                                                                                    • Instruction ID: 444c138c93f6580368b8f7bf76726c6abc5f79d38e46f5c5344eab39dd4d6646
                                                                                    • Opcode Fuzzy Hash: ae2211e31bb54872ca0cc89886dd4699aa21f9c9d48a8aafd9a4e38039cc465e
                                                                                    • Instruction Fuzzy Hash: 20E0D8A1B8830126F62426144C87F77110E43C0740F60403A7B04EF3D2D6FEB909429F
                                                                                    Function 00407B60 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEndOfFile.KERNEL32(?,02157EAC,0040AF31,00000000), ref: 00407B67
                                                                                      • Part of subcall function 00407940: GetLastError.KERNEL32(xz@,004079DE,?,?,021403AC,?,0040AB73,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 00407943
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 734332943-0
                                                                                    • Opcode ID: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
                                                                                    • Instruction ID: 97af4fe43c66ae010506ec3d7cd84cb65660405db9abbaf149828d557edbb573
                                                                                    • Opcode Fuzzy Hash: 1909adfb068d84a4c7c509a03c933fc32f464db51ef0452f103150ab7bc1f699
                                                                                    • Instruction Fuzzy Hash: F3C04CB160410057DB00A6AE85C1E1672D85A4825830040B6B604DB257D678E8108719
                                                                                    Function 004074AF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
                                                                                    • Instruction ID: 2360f01ce0fe84dc83243c5f87e7f13f8f92df382308918f1fe84dd18a5cd7c9
                                                                                    • Opcode Fuzzy Hash: b2df83a3f7eadccbe6543f05c1e4b9f9d7ac47d1857bfd650161f3857d5c0035
                                                                                    • Instruction Fuzzy Hash: C8B09B76F1C2006DE705DAD5745153877D4D7C47103A14877F114D25C0D53C94108519
                                                                                    Function 004074CB Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,004074CD), ref: 004074C0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
                                                                                    • Instruction ID: d86a438f0f99301b82867e6a10fbdb03c4267dfb17041a1f22e3924364c889c4
                                                                                    • Opcode Fuzzy Hash: eeeb51977643a1c07891125f237145a2d5169de148269e7e0dcbc59e3a378873
                                                                                    • Instruction Fuzzy Hash: 55A002A9D08104BACE10EAE58CD5A7D77A86A883047D048AA7215B2181C53DE911963B
                                                                                    Function 00406DF8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharPrevA.USER32(?,?,00406DF4,?,00406AD1,?,?,004095D4,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00409616), ref: 00406DFA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CharPrev
                                                                                    • String ID:
                                                                                    • API String ID: 122130370-0
                                                                                    • Opcode ID: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
                                                                                    • Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
                                                                                    • Opcode Fuzzy Hash: 1f54fb0d7342efd56636b4bf43ce0ada456b4309ba7930a48c32b3046dc9142d
                                                                                    • Instruction Fuzzy Hash:
                                                                                    Function 004083C4 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00408454
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
                                                                                    • Instruction ID: f6409c4485ca7bd338f5543af8cc2530bb3769743075a02b7f3240cefa60082b
                                                                                    • Opcode Fuzzy Hash: 3554af80b116e35b21060cbbc6df44ef5282ed17f45008ec87b0ebbddb4e439e
                                                                                    • Instruction Fuzzy Hash: 3E1181716006059BDB00EF69C981B4B7794EF84359F04847EF998AB2C6DF38DC058B6A
                                                                                    Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1263568516-0
                                                                                    • Opcode ID: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
                                                                                    • Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
                                                                                    • Opcode Fuzzy Hash: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
                                                                                    • Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8
                                                                                    Function 004079FC Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2962429428-0
                                                                                    • Opcode ID: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
                                                                                    • Instruction ID: 317b5c03ede138d5cd26287ffab94a369f1a3233cb4abf22224d679caf67fd96
                                                                                    • Opcode Fuzzy Hash: 066f784fd68329df4130f6e67c5a0e1de43b19e02d9a5afc60124be3f7097d47
                                                                                    • Instruction Fuzzy Hash: 30D05E91B00A6007E215E6BE598864A92D85F88685B08847AF644E73D1D67CAD018389
                                                                                    Function 0040836C Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,00408351), ref: 00408383
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1263568516-0
                                                                                    • Opcode ID: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
                                                                                    • Instruction ID: c3f7fe7f71c209b7548f3f70eea4568eea5cceda8148a565dbcaceff9471b988
                                                                                    • Opcode Fuzzy Hash: da78ddfa397c9e2cdf4956a2ea141b2947b48037f15e72f78cdce16bc7675b7a
                                                                                    • Instruction Fuzzy Hash: 9CD002B1755304AFDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6E775D8108B14

                                                                                    Non-executed Functions

                                                                                    Function 00409920 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 0040992F
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00409935
                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0040994E
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00409975
                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040997A
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 0040998B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 107509674-3733053543
                                                                                    • Opcode ID: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
                                                                                    • Instruction ID: 69b49e6867c4070d7a8a5f136f8c55bc3de077f0d280c98028d7d6ae56364c3e
                                                                                    • Opcode Fuzzy Hash: 179ed9162b652ccf15c6d14b836035b236f42e51fdbed839cad4311b1fc8396b
                                                                                    • Instruction Fuzzy Hash: 21F062F068430275E610ABB68C07F6B61885BC0B48F50193EBA55F52C3D7BCD804866F
                                                                                    Function 0040A10C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A116
                                                                                    • SizeofResource.KERNEL32(00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000,0040B1A1), ref: 0040A129
                                                                                    • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A,?,00000000), ref: 0040A13B
                                                                                    • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB8B,00000000,0040B122,?,00000001,00000000,00000002,00000000,0040B16A), ref: 0040A14C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
                                                                                    • Instruction ID: 8b92cee28785ce20b64f8d9370ff96c2b68540d1e256e0df05e6767f26cc4d74
                                                                                    • Opcode Fuzzy Hash: 6d1e58e0e179c15565de9e5b9098d59155bd11748cd142999f7bb8aa7b6e98b6
                                                                                    • Instruction Fuzzy Hash: 10E07EE035830265EA103AFA0DC3B2A00484B6474DF05403FB700B92C7DDBCDC1591AE
                                                                                    Function 004056E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
                                                                                    • Instruction ID: d144edb85d9c502d4ea0939edf991ab5ce3f28f90927345f3a95d007e4e99129
                                                                                    • Opcode Fuzzy Hash: c7e217b6e51c096be6b931cb56113e619872b2713a6c7d1a918660c486d4d873
                                                                                    • Instruction Fuzzy Hash: DCD0A7AA31E250BAE310519B2D85EBB4BDCCBC57B4F14443FFA48D7242D2248C06A7B6
                                                                                    Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: SystemTime
                                                                                    • String ID:
                                                                                    • API String ID: 2656138-0
                                                                                    • Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                                                    • Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
                                                                                    • Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                                                    • Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748
                                                                                    Function 004088C0 Relevance: .5, Instructions: 545COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                    • Instruction ID: 3b27ac6c5e0f9a5810868b706c98a54019571903b6d877547466b603179570a7
                                                                                    • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                    • Instruction Fuzzy Hash: 9E32D674E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF55
                                                                                    Function 004074D8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407501
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407507
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075DD,?,00000000,00409DF0), ref: 00407555
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                    • API String ID: 4190037839-2401316094
                                                                                    • Opcode ID: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
                                                                                    • Instruction ID: 86f2a6ba799f7653865fc0e2ce0ef1955b98c5cb30eb2cc475413799582f5e83
                                                                                    • Opcode Fuzzy Hash: 0178f007b2e9ce97110c2286f944ebc52b58938adea7bd75e582725685aec29c
                                                                                    • Instruction Fuzzy Hash: 27215570E48205BBDB00EAA5CC55BDF77A8AB44354F50887BA501F76C1DB7CBA04865E
                                                                                    Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                    • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                    • String ID:
                                                                                    • API String ID: 1694776339-0
                                                                                    • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                    • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                    • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                    • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                    Function 0040584C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,00405A94,?,?,?,?,00000000,00000000,00000000,?,00406A73,00000000,00406A86), ref: 00405866
                                                                                      • Part of subcall function 00405694: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,0040575F,?,00000000,0040583E), ref: 004056B2
                                                                                      • Part of subcall function 004056E0: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058E2,?,?,?,00000000,00405A94), ref: 004056F3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale$DefaultSystem
                                                                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                    • API String ID: 1044490935-665933166
                                                                                    • Opcode ID: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
                                                                                    • Instruction ID: 6fbfddc16810fcf353c8d16d6476d0df8e1e1129542ac215d571de96c8bf2126
                                                                                    • Opcode Fuzzy Hash: 5a553179c7555abcfcf22225c6a629e87a34c3027ea7095babbe5e1ef45f2de3
                                                                                    • Instruction Fuzzy Hash: A8512034B005486BDB00EBA59891A8F7769DB98304F50D87BB505BB3C6DA3DDE098F5C
                                                                                    Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                                    • String ID:
                                                                                    • API String ID: 262959230-0
                                                                                    • Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                                                    • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                    • Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                                                    • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                    Function 00403018 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlUnwind.KERNEL32(?,0040303C,00000000,00000000), ref: 00403037
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unwind
                                                                                    • String ID: a@$,`@
                                                                                    • API String ID: 3419175465-3299659662
                                                                                    • Opcode ID: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
                                                                                    • Instruction ID: e18fd8dce0ff00c2f0e26d0eabb8ee8c5bb09bfe6675b42a72717897def5721e
                                                                                    • Opcode Fuzzy Hash: 74c36dcaebc9beb569fc9a652e38c4b91acfc0ad3c1c730ca21132f2aeeaf1ad
                                                                                    • Instruction Fuzzy Hash: 951182352042029BD724DE18CA89B2777B5AB44744F24C13AA404AB3DAC77CDC81A769
                                                                                    Function 0040A160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A195
                                                                                    Strings
                                                                                    • Setup, xrefs: 0040A185
                                                                                    • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A179
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message
                                                                                    • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                    • API String ID: 2030045667-3271211647
                                                                                    • Opcode ID: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
                                                                                    • Instruction ID: 75c34cc78b7437cb0ca87fafc7654258806437370cb031ed823535619a0dd887
                                                                                    • Opcode Fuzzy Hash: 2fcb4469882f519d07bdc4c54c2b2bf709aeffd752a3b32377c5605777b8a92b
                                                                                    • Instruction Fuzzy Hash: 8BE0E5302043087EE301EA629C03F5A7BACE7CAB04F600477F900B55C1C6786E10842D
                                                                                    Function 004030DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,0040AAE6), ref: 004030E3
                                                                                    • GetCommandLineA.KERNEL32(00000000,0040AAE6), ref: 004030EE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1480887695.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1480430966.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1481357321.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1483847686.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CommandHandleLineModule
                                                                                    • String ID: U1hd.@
                                                                                    • API String ID: 2123368496-2904493091
                                                                                    • Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                                                    • Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
                                                                                    • Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                                                    • Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD

                                                                                    Execution Graph

                                                                                    Execution Coverage:14.8%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:7.4%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:76
                                                                                    execution_graph 50740 42fa00 50741 42fa0f NtdllDefWindowProc_A 50740->50741 50742 42fa0b 50740->50742 50741->50742 50743 47ef84 50744 47ef8f 50743->50744 50746 47efa5 GetLastError 50744->50746 50747 47efd0 50744->50747 50751 4530e0 50744->50751 50746->50747 50748 47efaf GetLastError 50746->50748 50748->50747 50749 47efb9 GetTickCount 50748->50749 50749->50747 50750 47efc7 Sleep 50749->50750 50750->50744 50758 452efc 50751->50758 50753 4530f6 50754 4530fa 50753->50754 50755 453116 DeleteFileA GetLastError 50753->50755 50754->50744 50764 452f38 50755->50764 50759 452f06 50758->50759 50760 452f0a 50758->50760 50759->50753 50761 452f13 Wow64DisableWow64FsRedirection 50760->50761 50762 452f2c SetLastError 50760->50762 50763 452f27 50761->50763 50762->50763 50763->50753 50765 452f47 50764->50765 50766 452f3d Wow64RevertWow64FsRedirection 50764->50766 50765->50744 50766->50765 50767 40d0c4 50770 4073a0 WriteFile 50767->50770 50771 4073bd 50770->50771 53773 49ba2c 53831 403344 53773->53831 53775 49ba3a 53834 4056a0 53775->53834 53777 49ba3f 53837 4063fc GetModuleHandleA GetVersion 53777->53837 53781 49ba49 53934 409ddc 53781->53934 53785 49ba53 53947 412db8 53785->53947 53787 49ba5d 53952 4194d0 GetVersion 53787->53952 54275 4032fc 53831->54275 53833 403349 GetModuleHandleA GetCommandLineA 53833->53775 53836 4056db 53834->53836 54276 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53834->54276 53836->53777 53838 40644d 53837->53838 53839 40642d GetProcAddress 53837->53839 53840 406455 GetProcAddress 53838->53840 53841 40667a GetProcAddress 53838->53841 53839->53838 53842 40643e 53839->53842 53843 406464 53840->53843 53844 406690 GetProcAddress 53841->53844 53845 406689 53841->53845 53842->53838 54277 406348 19 API calls 53843->54277 53846 4066a3 53844->53846 53847 40669f SetProcessDEPPolicy 53844->53847 53845->53844 53850 403400 4 API calls 53846->53850 53847->53846 53849 406473 53851 403450 18 API calls 53849->53851 53852 4066b8 53850->53852 53853 406480 53851->53853 53933 406854 6FDA1CD0 53852->53933 53853->53841 53854 4064b3 53853->53854 53856 40357c 18 API calls 53853->53856 53855 403494 4 API calls 53854->53855 53857 4064c1 53855->53857 53856->53854 53858 40357c 18 API calls 53857->53858 53859 4064ce 53858->53859 54278 406374 SetErrorMode LoadLibraryA 53859->54278 53861 4064d6 53862 403494 4 API calls 53861->53862 53863 4064e4 53862->53863 53864 40357c 18 API calls 53863->53864 53865 4064f1 53864->53865 54279 406374 SetErrorMode LoadLibraryA 53865->54279 53867 4064f9 53868 403494 4 API calls 53867->53868 53869 406507 53868->53869 53870 40357c 18 API calls 53869->53870 53871 406514 53870->53871 54280 406374 SetErrorMode LoadLibraryA 53871->54280 53873 40651c 53874 403494 4 API calls 53873->53874 53875 40652a 53874->53875 53876 40357c 18 API calls 53875->53876 53877 406537 53876->53877 54281 406374 SetErrorMode LoadLibraryA 53877->54281 53879 40653f 53880 403494 4 API calls 53879->53880 53881 40654d 53880->53881 53882 40357c 18 API calls 53881->53882 53883 40655a 53882->53883 54282 406374 SetErrorMode LoadLibraryA 53883->54282 53885 406562 53886 403494 4 API calls 53885->53886 53887 406570 53886->53887 53888 40357c 18 API calls 53887->53888 53889 40657d 53888->53889 54283 406374 SetErrorMode LoadLibraryA 53889->54283 53891 406585 53892 403494 4 API calls 53891->53892 53893 406593 53892->53893 53894 40357c 18 API calls 53893->53894 53895 4065a0 53894->53895 54284 406374 SetErrorMode LoadLibraryA 53895->54284 53933->53781 54291 4094b4 53934->54291 53939 408bb0 21 API calls 53940 409dff 53939->53940 54306 409500 GetVersionExA 53940->54306 53943 410bf4 53944 410bfe 53943->53944 53945 410c3d GetCurrentThreadId 53944->53945 53946 410c58 53945->53946 53946->53785 54319 40b19c 53947->54319 53951 412de4 53951->53787 54331 41e2b4 8 API calls 53952->54331 53954 4194e9 54275->53833 54276->53836 54277->53849 54278->53861 54279->53867 54280->53873 54281->53879 54282->53885 54283->53891 54308 40914c 54291->54308 54294 408a6c GetSystemDefaultLCID 54298 408aa2 54294->54298 54295 4089f8 19 API calls 54295->54298 54296 403450 18 API calls 54296->54298 54297 40727c 19 API calls 54297->54298 54298->54295 54298->54296 54298->54297 54302 408b04 54298->54302 54299 403450 18 API calls 54299->54302 54300 40727c 19 API calls 54300->54302 54301 4089f8 19 API calls 54301->54302 54302->54299 54302->54300 54302->54301 54303 408b87 54302->54303 54304 403420 4 API calls 54303->54304 54305 408ba1 54304->54305 54305->53939 54307 409517 54306->54307 54307->53943 54309 409158 54308->54309 54316 40727c LoadStringA 54309->54316 54312 403450 18 API calls 54313 409189 54312->54313 54314 403400 4 API calls 54313->54314 54315 40919e 54314->54315 54315->54294 54317 4034e0 18 API calls 54316->54317 54318 4072a9 54317->54318 54318->54312 54321 40b1a3 54319->54321 54320 40b1c2 54323 41149c 54320->54323 54321->54320 54330 40b0d4 33 API calls 54321->54330 54324 4114be 54323->54324 54325 40727c 19 API calls 54324->54325 54326 403450 18 API calls 54324->54326 54327 4114dd 54324->54327 54325->54324 54326->54324 54328 403400 4 API calls 54327->54328 54329 4114f2 54328->54329 54329->53951 54330->54321 54332 41e32e 54331->54332 54332->53954 55926 41f2e4 55927 41f2f3 IsWindowVisible 55926->55927 55928 41f329 55926->55928 55927->55928 55929 41f2fd IsWindowEnabled 55927->55929 55929->55928 55930 41f307 55929->55930 55931 402648 18 API calls 55930->55931 55932 41f311 EnableWindow 55931->55932 55932->55928 50772 417088 50775 413b84 50772->50775 50774 417094 50776 413bb4 50775->50776 50777 413b8f GetWindowThreadProcessId 50775->50777 50776->50774 50777->50776 50778 413b9a GetCurrentProcessId 50777->50778 50778->50776 50779 413ba4 GetPropA 50778->50779 50779->50776 55933 4176a8 55934 4176c1 55933->55934 55935 417777 55933->55935 55936 417741 55934->55936 55937 4176cb 55934->55937 55936->55935 55938 417754 GetLastActivePopup GetForegroundWindow 55936->55938 55937->55935 55940 4176ef GetCursorPos 55937->55940 55943 4176db 55937->55943 55938->55935 55939 41776d 55938->55939 55947 4246d0 GetLastActivePopup IsWindowVisible IsWindowEnabled SetForegroundWindow 55939->55947 55942 417702 55940->55942 55946 416d60 PtInRect 55942->55946 55943->55935 55945 417732 SetCursor 55943->55945 55945->55935 55946->55943 55947->55935 55948 41ffe8 55949 41fff1 55948->55949 55952 42028c 55949->55952 55951 41fffe 55953 42037e 55952->55953 55954 4202a3 55952->55954 55953->55951 55954->55953 55973 41fe4c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55954->55973 55956 4202d9 55957 420303 55956->55957 55958 4202dd 55956->55958 55983 41fe4c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 55957->55983 55974 42002c 55958->55974 55962 420311 55963 420315 55962->55963 55964 42033b 55962->55964 55966 42002c 10 API calls 55963->55966 55967 42002c 10 API calls 55964->55967 55965 42002c 10 API calls 55968 420301 55965->55968 55969 420327 55966->55969 55970 42034d 55967->55970 55968->55951 55971 42002c 10 API calls 55969->55971 55972 42002c 10 API calls 55970->55972 55971->55968 55972->55968 55973->55956 55975 420047 55974->55975 55976 42005d 55975->55976 55977 41fdcc 4 API calls 55975->55977 55984 41fdcc 55976->55984 55977->55976 55979 4200a5 55980 4200c8 SetScrollInfo 55979->55980 55992 41ff2c 55980->55992 55983->55962 55985 418670 55984->55985 55986 41fde9 GetWindowLongA 55985->55986 55987 41fe26 55986->55987 55988 41fe06 55986->55988 56004 41fd58 GetWindowLongA GetSystemMetrics GetSystemMetrics 55987->56004 56003 41fd58 GetWindowLongA GetSystemMetrics GetSystemMetrics 55988->56003 55991 41fe12 55991->55979 55993 41ff3a 55992->55993 55994 41ff42 55992->55994 55993->55965 55995 41ff7f 55994->55995 55996 41ff81 55994->55996 55997 41ff71 55994->55997 55999 41ffc1 GetScrollPos 55995->55999 56006 4182d8 IsWindowVisible ScrollWindow SetWindowPos 55996->56006 56005 4182d8 IsWindowVisible ScrollWindow SetWindowPos 55997->56005 55999->55993 56001 41ffcc 55999->56001 56002 41ffdb SetScrollPos 56001->56002 56002->55993 56003->55991 56004->55991 56005->55995 56006->55995 56007 404d2a 56015 404d3a 56007->56015 56008 404e07 ExitProcess 56009 404de0 56023 404cf0 56009->56023 56011 404e12 56013 404cf0 4 API calls 56014 404df4 56013->56014 56027 401a90 56014->56027 56015->56008 56015->56009 56015->56011 56017 404db7 MessageBoxA 56015->56017 56018 404dcc 56015->56018 56017->56009 56039 40500c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56018->56039 56020 404df9 56020->56008 56020->56011 56024 404cfe 56023->56024 56025 404d13 56024->56025 56040 402728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56024->56040 56025->56013 56028 401aa1 56027->56028 56029 401b6f 56027->56029 56030 401ac2 LocalFree 56028->56030 56031 401ab8 RtlEnterCriticalSection 56028->56031 56029->56020 56032 401af5 56030->56032 56031->56030 56033 401ae3 VirtualFree 56032->56033 56034 401afd 56032->56034 56033->56032 56035 401b24 LocalFree 56034->56035 56036 401b3b 56034->56036 56035->56035 56035->56036 56037 401b53 RtlLeaveCriticalSection 56036->56037 56038 401b5d RtlDeleteCriticalSection 56036->56038 56037->56038 56038->56020 56040->56025 56041 420a28 56042 420a3b 56041->56042 56062 415fc0 56042->56062 56044 420b82 56045 420b99 56044->56045 56069 414b64 KiUserCallbackDispatcher 56044->56069 56049 420bb0 56045->56049 56070 414ba8 KiUserCallbackDispatcher 56045->56070 56046 420ae1 56067 420cd8 34 API calls 56046->56067 56047 420a76 56047->56044 56047->56046 56055 420ad2 MulDiv 56047->56055 56052 420bd2 56049->56052 56071 4204f0 12 API calls 56049->56071 56053 420afa 56053->56044 56068 4204f0 12 API calls 56053->56068 56066 41a794 19 API calls 56055->56066 56058 420b17 56059 420b33 MulDiv 56058->56059 56060 420b56 56058->56060 56059->56060 56060->56044 56061 420b5f MulDiv 56060->56061 56061->56044 56063 415fd2 56062->56063 56072 414900 56063->56072 56065 415fea 56065->56047 56066->56046 56067->56053 56068->56058 56069->56045 56070->56049 56071->56052 56073 41491a 56072->56073 56076 4108e8 56073->56076 56075 414930 56075->56065 56079 40e134 56076->56079 56078 4108ee 56078->56075 56080 40e196 56079->56080 56081 40e147 56079->56081 56086 40e1a4 56080->56086 56084 40e1a4 33 API calls 56081->56084 56085 40e171 56084->56085 56085->56078 56087 40e1b4 56086->56087 56089 40e1ca 56087->56089 56098 40e52c 56087->56098 56114 40da70 56087->56114 56117 40e3dc 56089->56117 56092 40e1d2 56093 40da70 19 API calls 56092->56093 56094 40e23e 56092->56094 56120 40dff0 56092->56120 56093->56092 56096 40e3dc 19 API calls 56094->56096 56097 40e1a0 56096->56097 56097->56078 56099 40edfc 19 API calls 56098->56099 56101 40e567 56099->56101 56100 403778 18 API calls 56100->56101 56101->56100 56102 40e61d 56101->56102 56187 40dc04 19 API calls 56101->56187 56188 40e510 19 API calls 56101->56188 56103 40e647 56102->56103 56104 40e638 56102->56104 56184 40beb4 56103->56184 56134 40e850 56104->56134 56110 40e645 56111 403400 4 API calls 56110->56111 56112 40e6ec 56111->56112 56112->56087 56115 40ee98 19 API calls 56114->56115 56116 40da7a 56115->56116 56116->56087 56221 40d94c 56117->56221 56121 40e3e4 19 API calls 56120->56121 56122 40e023 56121->56122 56123 40edfc 19 API calls 56122->56123 56124 40e02e 56123->56124 56125 40edfc 19 API calls 56124->56125 56126 40e039 56125->56126 56127 40e054 56126->56127 56128 40e04b 56126->56128 56133 40e051 56126->56133 56230 40de68 56127->56230 56233 40df58 33 API calls 56128->56233 56131 403420 4 API calls 56132 40e11f 56131->56132 56132->56092 56133->56131 56135 40e886 56134->56135 56136 40e87c 56134->56136 56138 40e9a1 56135->56138 56139 40e925 56135->56139 56140 40e986 56135->56140 56141 40ea06 56135->56141 56142 40e8c8 56135->56142 56143 40e969 56135->56143 56144 40e94b 56135->56144 56174 40e8ec 56135->56174 56178 40e8f9 56135->56178 56190 40d8d0 19 API calls 56136->56190 56146 40dbf4 19 API calls 56138->56146 56198 40e2b4 19 API calls 56139->56198 56203 40ed20 19 API calls 56140->56203 56152 40dbf4 19 API calls 56141->56152 56191 40dbf4 56142->56191 56201 40ee38 19 API calls 56143->56201 56200 40e274 19 API calls 56144->56200 56155 40e9a9 56146->56155 56148 403400 4 API calls 56156 40ea7b 56148->56156 56159 40ea0e 56152->56159 56165 40e9b3 56155->56165 56166 40e9ad 56155->56166 56156->56110 56157 40e974 56202 40a1c8 18 API calls 56157->56202 56158 40e930 56199 40d900 19 API calls 56158->56199 56161 40ea12 56159->56161 56162 40ea2b 56159->56162 56168 40ee98 19 API calls 56161->56168 56210 40e2b4 19 API calls 56162->56210 56163 40e8f1 56196 40e368 19 API calls 56163->56196 56164 40e8d4 56194 40e2b4 19 API calls 56164->56194 56204 40ee98 56165->56204 56175 40ee98 19 API calls 56166->56175 56183 40e9b1 56166->56183 56168->56174 56173 40e8df 56195 40e6fc 19 API calls 56173->56195 56174->56148 56180 40e9d4 56175->56180 56178->56174 56197 40dca8 19 API calls 56178->56197 56179 40e9f6 56209 40e764 18 API calls 56179->56209 56207 40dd30 19 API calls 56180->56207 56183->56174 56208 40e2b4 19 API calls 56183->56208 56216 40be60 56184->56216 56187->56101 56188->56101 56189 40dc04 19 API calls 56189->56110 56190->56135 56192 40ee98 19 API calls 56191->56192 56193 40dbfe 56192->56193 56193->56163 56193->56164 56194->56173 56195->56174 56196->56178 56197->56174 56198->56158 56199->56174 56200->56174 56201->56157 56202->56174 56203->56174 56211 40dc10 56204->56211 56207->56183 56208->56179 56209->56174 56210->56174 56214 40dc1b 56211->56214 56212 40dc55 56212->56174 56214->56212 56215 40dc5c 19 API calls 56214->56215 56215->56214 56217 40be72 56216->56217 56218 40be97 56216->56218 56217->56218 56220 40bf14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56217->56220 56218->56110 56218->56189 56220->56218 56222 40ee98 19 API calls 56221->56222 56223 40d959 56222->56223 56224 40d96c 56223->56224 56228 40ef9c 19 API calls 56223->56228 56224->56092 56226 40d967 56229 40d8e8 19 API calls 56226->56229 56228->56226 56229->56224 56234 40b00c 33 API calls 56230->56234 56232 40de90 56232->56133 56233->56133 56234->56232 50780 413acc SetWindowLongA GetWindowLongA 50781 413b29 SetPropA SetPropA 50780->50781 50782 413b0b GetWindowLongA 50780->50782 50786 41f82c KiUserCallbackDispatcher 50781->50786 50782->50781 50783 413b1a SetWindowLongA 50782->50783 50783->50781 50784 413b79 50786->50784 56235 416eac 56236 416ebf 56235->56236 56239 416ed7 56235->56239 56237 416ec1 56236->56237 56238 416f2a 56236->56238 56244 416ef4 56237->56244 56245 416ec6 56237->56245 56252 415700 56238->56252 56249 416ed2 56239->56249 56260 416e20 PtInRect GetCapture 56239->56260 56242 415700 73 API calls 56243 416f61 56242->56243 56244->56249 56251 421f7c 6 API calls 56244->56251 56247 416f91 GetCapture 56245->56247 56245->56249 56247->56249 56248 416f33 56248->56243 56259 416d60 PtInRect 56248->56259 56249->56242 56249->56243 56251->56249 56253 41570d 56252->56253 56254 415773 56253->56254 56255 415768 56253->56255 56258 415771 56253->56258 56261 42501c 13 API calls 56254->56261 56255->56258 56262 4154ec 60 API calls 56255->56262 56258->56248 56259->56243 56260->56249 56261->56258 56262->56258 56263 422cec 56264 422d1c 56263->56264 56265 422cff 56263->56265 56267 422f31 56264->56267 56268 422d56 56264->56268 56272 422f8f 56264->56272 56265->56264 56266 40914c 19 API calls 56265->56266 56266->56264 56269 422f83 56267->56269 56270 422f79 56267->56270 56289 422dad 56268->56289 56303 423638 GetSystemMetrics 56268->56303 56269->56272 56275 422fc7 56269->56275 56276 422fa8 56269->56276 56306 4222bc 25 API calls 56270->56306 56273 422e59 56277 422e65 56273->56277 56278 422e9b 56273->56278 56274 422f0c 56281 422f26 ShowWindow 56274->56281 56285 422fd1 GetActiveWindow 56275->56285 56284 422fbf SetWindowPos 56276->56284 56282 422e6f SendMessageA 56277->56282 56283 422eb5 ShowWindow 56278->56283 56280 422df1 56304 423630 GetSystemMetrics 56280->56304 56281->56272 56286 418670 56282->56286 56288 418670 56283->56288 56284->56272 56290 422fdc 56285->56290 56291 422ffb 56285->56291 56292 422e93 ShowWindow 56286->56292 56293 422ed7 CallWindowProcA 56288->56293 56289->56273 56289->56274 56296 422fe4 IsIconic 56290->56296 56294 423001 56291->56294 56295 423026 56291->56295 56297 422eea SendMessageA 56292->56297 56305 415154 56293->56305 56300 423018 SetWindowPos SetActiveWindow 56294->56300 56301 423030 ShowWindow 56295->56301 56296->56291 56299 422fee 56296->56299 56297->56272 56307 41f484 GetCurrentThreadId EnumThreadWindows 56299->56307 56300->56272 56301->56272 56303->56280 56304->56289 56305->56297 56306->56269 56307->56291 50787 482cd8 50788 482ce1 50787->50788 50789 482d0b 50788->50789 50790 482ced 50788->50790 51166 481580 38 API calls 50789->51166 50791 482d02 50790->50791 51164 481750 57 API calls 50790->51164 51165 481580 38 API calls 50791->51165 50795 482d09 50796 482d38 50795->50796 50797 482d46 50795->50797 51167 478dc4 295 API calls 50796->51167 50798 482d85 50797->50798 51169 4816e8 18 API calls 50797->51169 50799 482da9 50798->50799 50802 482d9c 50798->50802 50803 482d9e 50798->50803 50805 482dbb 50799->50805 50806 482dc1 50799->50806 50813 48172c 57 API calls 50802->50813 51171 4817c0 57 API calls 50803->51171 50804 482d3d 50804->50797 51168 409070 19 API calls 50804->51168 50809 482dbf 50805->50809 50922 48172c 50805->50922 50806->50809 50814 48172c 57 API calls 50806->50814 50807 482d78 51170 481750 57 API calls 50807->51170 50927 47e8a8 50809->50927 50813->50799 50814->50809 51281 481214 57 API calls 50922->51281 50924 481747 51282 409070 19 API calls 50924->51282 51283 42dd28 GetWindowsDirectoryA 50927->51283 50930 403450 18 API calls 50931 47e8d9 50930->50931 51286 42dd54 GetSystemDirectoryA 50931->51286 50934 403450 18 API calls 50935 47e8ee 50934->50935 51289 42dd80 50935->51289 50937 47e8f6 50938 403450 18 API calls 50937->50938 50939 47e903 50938->50939 50940 47e90c 50939->50940 50941 47e928 50939->50941 51338 42d698 50940->51338 50942 403400 4 API calls 50941->50942 50944 47e926 50942->50944 50946 47e96d 50944->50946 51346 42cd5c 50944->51346 51293 47e730 50946->51293 50947 403450 18 API calls 50947->50944 50952 403450 18 API calls 50954 47e955 50952->50954 50953 403450 18 API calls 50955 47e989 50953->50955 50954->50946 50959 403450 18 API calls 50954->50959 50956 47e9a7 50955->50956 50957 4035c0 18 API calls 50955->50957 50958 47e730 22 API calls 50956->50958 50957->50956 50960 47e9b6 50958->50960 50959->50946 50961 403450 18 API calls 50960->50961 50962 47e9c3 50961->50962 50963 47e9eb 50962->50963 50964 42c88c 19 API calls 50962->50964 50965 47ea52 50963->50965 50968 47e730 22 API calls 50963->50968 50966 47e9d9 50964->50966 50967 47eb18 50965->50967 50972 47ea72 SHGetKnownFolderPath 50965->50972 50971 4035c0 18 API calls 50966->50971 50969 47eb42 50967->50969 50970 47eb21 50967->50970 50973 47ea03 50968->50973 51304 42c88c 50969->51304 50974 42c88c 19 API calls 50970->50974 50971->50963 50976 47eac5 SHGetKnownFolderPath 50972->50976 50977 47ea8c 50972->50977 50978 403450 18 API calls 50973->50978 50981 47eb2e 50974->50981 50976->50967 50980 47eadf 50976->50980 51356 403ba4 21 API calls 50977->51356 50979 47ea10 50978->50979 50984 47ea23 50979->50984 51354 453b40 18 API calls 50979->51354 51357 403ba4 21 API calls 50980->51357 50988 47eaa7 CoTaskMemFree 51164->50791 51165->50795 51166->50795 51167->50804 51169->50807 51170->50798 51171->50799 51281->50924 51358 407974 51283->51358 51287 407974 18 API calls 51286->51287 51288 42dd75 51287->51288 51288->50934 51290 403400 4 API calls 51289->51290 51291 42dd90 GetModuleHandleA GetProcAddress 51290->51291 51292 42dda9 51291->51292 51292->50937 51436 42e2ac 51293->51436 51295 47e756 51296 47e77c 51295->51296 51297 47e75a 51295->51297 51298 403400 4 API calls 51296->51298 51439 42e1dc 51297->51439 51300 47e783 51298->51300 51300->50953 51302 47e771 RegCloseKey 51302->51300 51303 403400 4 API calls 51303->51302 51305 42c896 51304->51305 51306 42c8b9 51304->51306 51339 4038a4 18 API calls 51338->51339 51340 42d6ab 51339->51340 51341 42d6c2 GetEnvironmentVariableA 51340->51341 51345 42d6d5 51340->51345 51484 42e060 18 API calls 51340->51484 51341->51340 51342 42d6ce 51341->51342 51343 403400 4 API calls 51342->51343 51343->51345 51345->50947 51485 42cb04 51346->51485 51349 42cd70 51351 403400 4 API calls 51349->51351 51350 42cd79 51488 403778 51350->51488 51353 42cd77 51351->51353 51353->50952 51354->50984 51356->50988 51361 40352c 51358->51361 51364 4034e0 51361->51364 51363 4034f0 51365 403400 4 API calls 51363->51365 51367 4034bc 51364->51367 51366 403508 51365->51366 51366->50930 51368 4034c0 51367->51368 51369 4034dc 51367->51369 51372 402648 51368->51372 51369->51363 51371 4034c9 51371->51363 51373 40264c 51372->51373 51375 402656 51372->51375 51378 402088 51373->51378 51374 402652 51374->51375 51389 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51374->51389 51375->51371 51375->51375 51379 40209c 51378->51379 51380 4020a1 51378->51380 51390 4019cc RtlInitializeCriticalSection 51379->51390 51382 4020c6 RtlEnterCriticalSection 51380->51382 51383 4020d0 51380->51383 51386 4020a5 51380->51386 51382->51383 51383->51386 51397 401f94 51383->51397 51386->51374 51387 4021f1 RtlLeaveCriticalSection 51388 4021fb 51387->51388 51388->51374 51389->51375 51391 4019f0 RtlEnterCriticalSection 51390->51391 51392 4019fa 51390->51392 51391->51392 51393 401a18 LocalAlloc 51392->51393 51394 401a32 51393->51394 51395 401a81 51394->51395 51396 401a77 RtlLeaveCriticalSection 51394->51396 51395->51380 51396->51395 51398 401fa4 51397->51398 51399 401fd0 51398->51399 51402 401ff4 51398->51402 51403 401f0c 51398->51403 51399->51402 51408 401db4 51399->51408 51402->51387 51402->51388 51412 40178c 51403->51412 51406 401f29 51406->51398 51409 401e02 51408->51409 51410 401dd2 51408->51410 51409->51410 51423 401d1c 51409->51423 51410->51402 51416 4017a8 51412->51416 51413 4017b2 51415 401678 VirtualAlloc 51413->51415 51414 4014e4 LocalAlloc VirtualAlloc VirtualFree 51414->51416 51417 4017be 51415->51417 51416->51413 51416->51414 51418 4013e0 LocalAlloc 51416->51418 51419 401803 51416->51419 51421 40180f 51416->51421 51417->51421 51418->51416 51420 4015c0 VirtualFree 51419->51420 51420->51421 51421->51406 51422 401e80 9 API calls 51421->51422 51422->51406 51424 401d2e 51423->51424 51425 401d51 51424->51425 51426 401d63 51424->51426 51427 401940 LocalAlloc VirtualFree VirtualFree 51425->51427 51428 401940 LocalAlloc VirtualFree VirtualFree 51426->51428 51429 401d61 51427->51429 51428->51429 51430 401d79 51429->51430 51431 401bf8 9 API calls 51429->51431 51430->51410 51432 401d88 51431->51432 51433 401da2 51432->51433 51434 401c4c 9 API calls 51432->51434 51435 401454 LocalAlloc 51433->51435 51434->51433 51435->51430 51437 42e2b7 51436->51437 51438 42e2bd RegOpenKeyExA 51436->51438 51437->51438 51438->51295 51442 42e090 51439->51442 51443 42e0b6 RegQueryValueExA 51442->51443 51447 42e0d9 51443->51447 51458 42e0fb 51443->51458 51444 403400 4 API calls 51446 42e1c7 51444->51446 51445 42e0f3 51448 403400 4 API calls 51445->51448 51446->51302 51446->51303 51447->51445 51447->51458 51459 4034e0 51447->51459 51464 403744 51447->51464 51448->51458 51451 42e130 RegQueryValueExA 51451->51443 51452 42e14c 51451->51452 51452->51458 51468 4038a4 51452->51468 51455 42e1a0 51456 403450 18 API calls 51455->51456 51456->51458 51457 403744 18 API calls 51457->51455 51458->51444 51460 4034bc 18 API calls 51459->51460 51461 4034f0 51460->51461 51462 403400 4 API calls 51461->51462 51463 403508 51462->51463 51463->51447 51465 40374a 51464->51465 51467 40375b 51464->51467 51466 4034bc 18 API calls 51465->51466 51465->51467 51466->51467 51467->51451 51469 4038b1 51468->51469 51476 4038e1 51468->51476 51471 4038da 51469->51471 51472 4038bd 51469->51472 51470 403400 4 API calls 51474 4038cb 51470->51474 51473 4034bc 18 API calls 51471->51473 51477 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51472->51477 51473->51476 51474->51455 51474->51457 51476->51470 51477->51474 51484->51340 51495 42cb0c 51485->51495 51487 42cb0b 51487->51349 51487->51350 51489 4037aa 51488->51489 51490 40377d 51488->51490 51491 403400 4 API calls 51489->51491 51490->51489 51492 403791 51490->51492 51494 4037a0 51491->51494 51493 4034e0 18 API calls 51492->51493 51493->51494 51494->51353 51498 42cb1d 51495->51498 51496 42cb81 51499 42cb7c 51496->51499 51503 42c8d4 IsDBCSLeadByte 51496->51503 51498->51496 51501 42cb3b 51498->51501 51499->51487 51501->51499 51502 42c8d4 IsDBCSLeadByte 51501->51502 51502->51501 51503->51499 53200 416fd2 53201 41707a 53200->53201 53202 416fea 53200->53202 53219 4157ac 18 API calls 53201->53219 53204 417004 SendMessageA 53202->53204 53205 416ff8 53202->53205 53215 417058 53204->53215 53206 417002 CallWindowProcA 53205->53206 53207 41701e 53205->53207 53206->53215 53216 41a4e8 GetSysColor 53207->53216 53210 417029 SetTextColor 53211 41703e 53210->53211 53217 41a4e8 GetSysColor 53211->53217 53213 417043 SetBkColor 53218 41ab70 GetSysColor CreateBrushIndirect 53213->53218 53216->53210 53217->53213 53218->53215 53219->53215 53220 416ad4 53221 416ae1 53220->53221 53222 416b3b 53220->53222 53227 4169e0 CreateWindowExA 53221->53227 53223 416ae8 SetPropA SetPropA 53223->53222 53224 416b1b 53223->53224 53225 416b2e SetWindowPos 53224->53225 53225->53222 53227->53223 53228 49469c 53229 4946d6 53228->53229 53230 4946d8 53229->53230 53231 4946e2 53229->53231 53423 409528 MessageBeep 53230->53423 53233 49471a 53231->53233 53234 4946f1 53231->53234 53240 494729 53233->53240 53241 494752 53233->53241 53236 4474e8 32 API calls 53234->53236 53235 403420 4 API calls 53237 494d2e 53235->53237 53238 4946fe 53236->53238 53242 403400 4 API calls 53237->53242 53239 407040 18 API calls 53238->53239 53243 494709 53239->53243 53244 4474e8 32 API calls 53240->53244 53248 49478a 53241->53248 53249 494761 53241->53249 53245 494d36 53242->53245 53424 44783c 19 API calls 53243->53424 53247 494736 53244->53247 53425 407090 18 API calls 53247->53425 53256 494799 53248->53256 53257 4947b2 53248->53257 53251 4474e8 32 API calls 53249->53251 53253 49476e 53251->53253 53252 494741 53426 44783c 19 API calls 53252->53426 53427 4070c4 18 API calls 53253->53427 53429 407710 19 API calls 53256->53429 53262 4947c1 53257->53262 53263 4947e6 53257->53263 53258 494779 53428 44783c 19 API calls 53258->53428 53261 4947a1 53430 44783c 19 API calls 53261->53430 53265 4474e8 32 API calls 53262->53265 53268 49481e 53263->53268 53269 4947f5 53263->53269 53266 4947ce 53265->53266 53431 407738 53266->53431 53275 49482d 53268->53275 53276 494856 53268->53276 53271 4474e8 32 API calls 53269->53271 53270 4947d6 53434 4475c0 19 API calls 53270->53434 53273 494802 53271->53273 53274 42cc94 19 API calls 53273->53274 53277 49480d 53274->53277 53278 4474e8 32 API calls 53275->53278 53281 4948a2 53276->53281 53282 494865 53276->53282 53435 44783c 19 API calls 53277->53435 53280 49483a 53278->53280 53436 407688 22 API calls 53280->53436 53289 4948da 53281->53289 53290 4948b1 53281->53290 53284 4474e8 32 API calls 53282->53284 53286 494874 53284->53286 53285 494845 53437 44783c 19 API calls 53285->53437 53288 4474e8 32 API calls 53286->53288 53291 494885 53288->53291 53297 4948e9 53289->53297 53298 494912 53289->53298 53292 4474e8 32 API calls 53290->53292 53438 4943a0 22 API calls 53291->53438 53294 4948be 53292->53294 53440 42cd34 53294->53440 53296 494891 53439 44783c 19 API calls 53296->53439 53301 4474e8 32 API calls 53297->53301 53304 49494a 53298->53304 53305 494921 53298->53305 53303 4948f6 53301->53303 53306 42cd5c 19 API calls 53303->53306 53312 494959 53304->53312 53313 494982 53304->53313 53307 4474e8 32 API calls 53305->53307 53308 494901 53306->53308 53309 49492e 53307->53309 53446 44783c 19 API calls 53308->53446 53447 42cd8c 19 API calls 53309->53447 53315 4474e8 32 API calls 53312->53315 53318 4949ba 53313->53318 53319 494991 53313->53319 53314 494939 53448 44783c 19 API calls 53314->53448 53317 494966 53315->53317 53320 42cdbc 19 API calls 53317->53320 53326 4949c9 53318->53326 53329 494a06 53318->53329 53321 4474e8 32 API calls 53319->53321 53322 494971 53320->53322 53324 49499e 53321->53324 53449 44783c 19 API calls 53322->53449 53325 42cde4 19 API calls 53324->53325 53328 4949a9 53325->53328 53327 4474e8 32 API calls 53326->53327 53330 4949d8 53327->53330 53450 44783c 19 API calls 53328->53450 53334 494a58 53329->53334 53335 494a15 53329->53335 53332 4474e8 32 API calls 53330->53332 53336 4949e9 53332->53336 53333 4946dd 53333->53235 53341 494acb 53334->53341 53342 494a67 53334->53342 53337 4474e8 32 API calls 53335->53337 53451 42c988 19 API calls 53336->53451 53339 494a28 53337->53339 53343 4474e8 32 API calls 53339->53343 53340 4949f5 53452 44783c 19 API calls 53340->53452 53350 494b0a 53341->53350 53351 494ada 53341->53351 53345 4474e8 32 API calls 53342->53345 53346 494a39 53343->53346 53348 494a74 53345->53348 53453 494598 26 API calls 53346->53453 53415 42ca98 21 API calls 53348->53415 53349 494a47 53454 44783c 19 API calls 53349->53454 53359 494b49 53350->53359 53360 494b19 53350->53360 53354 4474e8 32 API calls 53351->53354 53356 494ae7 53354->53356 53355 494a82 53357 494abb 53355->53357 53358 494a86 53355->53358 53362 4530e0 5 API calls 53356->53362 53456 4475c0 19 API calls 53357->53456 53363 4474e8 32 API calls 53358->53363 53372 494b88 53359->53372 53373 494b58 53359->53373 53364 4474e8 32 API calls 53360->53364 53365 494af4 53362->53365 53366 494a95 53363->53366 53367 494b26 53364->53367 53457 4475c0 19 API calls 53365->53457 53416 453458 53366->53416 53458 452f48 53367->53458 53370 494aa5 53455 4475c0 19 API calls 53370->53455 53380 494bd0 53372->53380 53381 494b97 53372->53381 53376 4474e8 32 API calls 53373->53376 53375 494b33 53465 4475c0 19 API calls 53375->53465 53378 494b65 53376->53378 53466 4535e8 53378->53466 53386 494c18 53380->53386 53387 494bdf 53380->53387 53383 4474e8 32 API calls 53381->53383 53382 494b72 53473 4475c0 19 API calls 53382->53473 53385 494ba6 53383->53385 53388 4474e8 32 API calls 53385->53388 53393 494c2b 53386->53393 53399 494ce1 53386->53399 53389 4474e8 32 API calls 53387->53389 53390 494bb7 53388->53390 53391 494bee 53389->53391 53474 447768 19 API calls 53390->53474 53392 4474e8 32 API calls 53391->53392 53395 494bff 53392->53395 53394 4474e8 32 API calls 53393->53394 53397 494c58 53394->53397 53475 447768 19 API calls 53395->53475 53398 4474e8 32 API calls 53397->53398 53400 494c6f 53398->53400 53399->53333 53479 44748c 32 API calls 53399->53479 53476 40826c 21 API calls 53400->53476 53403 494cfa 53404 42ed58 19 API calls 53403->53404 53405 494d02 53404->53405 53480 44783c 19 API calls 53405->53480 53408 494c91 53409 4474e8 32 API calls 53408->53409 53410 494ca5 53409->53410 53477 408998 18 API calls 53410->53477 53412 494cb0 53478 44783c 19 API calls 53412->53478 53414 494cbc 53415->53355 53417 452efc 2 API calls 53416->53417 53419 453471 53417->53419 53418 453475 53418->53370 53419->53418 53420 453499 MoveFileA GetLastError 53419->53420 53421 452f38 Wow64RevertWow64FsRedirection 53420->53421 53422 4534bf 53421->53422 53422->53370 53423->53333 53424->53333 53425->53252 53426->53333 53427->53258 53428->53333 53429->53261 53430->53333 53432 403738 53431->53432 53433 407742 SetCurrentDirectoryA 53432->53433 53433->53270 53434->53333 53435->53333 53436->53285 53437->53333 53438->53296 53439->53333 53441 42cc2c IsDBCSLeadByte 53440->53441 53442 42cd44 53441->53442 53443 403778 18 API calls 53442->53443 53444 42cd55 53443->53444 53445 44783c 19 API calls 53444->53445 53445->53333 53446->53333 53447->53314 53448->53333 53449->53333 53450->53333 53451->53340 53452->53333 53453->53349 53454->53333 53455->53333 53456->53333 53457->53333 53459 452efc 2 API calls 53458->53459 53461 452f5e 53459->53461 53460 452f62 53460->53375 53461->53460 53462 452f80 CreateDirectoryA GetLastError 53461->53462 53463 452f38 Wow64RevertWow64FsRedirection 53462->53463 53464 452fa6 53463->53464 53464->53375 53465->53333 53467 452efc 2 API calls 53466->53467 53468 4535fe 53467->53468 53469 453602 53468->53469 53470 45361e RemoveDirectoryA GetLastError 53468->53470 53469->53382 53471 452f38 Wow64RevertWow64FsRedirection 53470->53471 53472 453644 53471->53472 53472->53382 53473->53333 53474->53333 53475->53333 53476->53408 53477->53412 53478->53414 53479->53403 53480->53333 56308 482c3e 56309 4517dc 19 API calls 56308->56309 56310 482c52 56309->56310 56311 481c60 35 API calls 56310->56311 56312 482c76 56311->56312 56313 422774 56314 422783 56313->56314 56319 421704 56314->56319 56318 4227a3 56320 421773 56319->56320 56322 421713 56319->56322 56325 421784 56320->56325 56344 412960 GetMenuItemCount GetMenuStringA GetMenuState 56320->56344 56322->56320 56343 4091bc 33 API calls 56322->56343 56323 42184a 56327 421823 56323->56327 56329 42185e SetMenu 56323->56329 56324 4217b2 56328 421825 56324->56328 56334 4217cd 56324->56334 56325->56323 56325->56324 56326 421876 56347 42164c 24 API calls 56326->56347 56327->56326 56346 4222bc 25 API calls 56327->56346 56328->56327 56333 421839 56328->56333 56329->56327 56332 42187d 56332->56318 56342 422678 10 API calls 56332->56342 56336 421842 SetMenu 56333->56336 56334->56327 56337 4217f0 GetMenu 56334->56337 56336->56327 56338 421813 56337->56338 56339 4217fa 56337->56339 56345 412960 GetMenuItemCount GetMenuStringA GetMenuState 56338->56345 56341 42180d SetMenu 56339->56341 56341->56338 56342->56318 56343->56322 56344->56325 56345->56327 56346->56326 56347->56332 53481 44b9dc 53482 44b9ea 53481->53482 53484 44ba09 53481->53484 53482->53484 53485 44b8c0 53482->53485 53486 44b8f3 53485->53486 53496 414f78 53486->53496 53488 44b906 53489 44b933 GetDC 53488->53489 53490 40357c 18 API calls 53488->53490 53500 41a678 53489->53500 53490->53489 53493 44b964 53508 44b5f4 53493->53508 53495 44b978 ReleaseDC 53495->53484 53497 414f86 53496->53497 53498 4034e0 18 API calls 53497->53498 53499 414f93 53498->53499 53499->53488 53501 41a6a3 53500->53501 53502 41a73f 53500->53502 53519 403520 53501->53519 53503 403400 4 API calls 53502->53503 53504 41a757 SelectObject 53503->53504 53504->53493 53506 41a6fb 53507 41a733 CreateFontIndirectA 53506->53507 53507->53502 53509 44b60b 53508->53509 53510 44b69e 53509->53510 53511 44b687 53509->53511 53512 44b61e 53509->53512 53510->53495 53514 44b697 DrawTextA 53511->53514 53512->53510 53513 402648 18 API calls 53512->53513 53515 44b62f 53513->53515 53514->53510 53516 44b64d MultiByteToWideChar DrawTextW 53515->53516 53517 402660 4 API calls 53516->53517 53518 44b67f 53517->53518 53518->53495 53520 4034e0 18 API calls 53519->53520 53521 40352a 53520->53521 53521->53506 56348 46d0bc 56349 46d559 56348->56349 56350 46d0f0 56348->56350 56351 403400 4 API calls 56349->56351 56352 46d12c 56350->56352 56355 46d166 56350->56355 56356 46d177 56350->56356 56357 46d144 56350->56357 56358 46d155 56350->56358 56359 46d188 56350->56359 56354 46d598 56351->56354 56352->56349 56353 46a1e4 33 API calls 56352->56353 56368 46d1c4 56353->56368 56361 403400 4 API calls 56354->56361 56403 46cc7c 56355->56403 56647 46ce3c 175 API calls 56356->56647 56645 46c9cc 169 API calls 56357->56645 56646 46cb34 57 API calls 56358->56646 56648 46d04c 60 API calls 56359->56648 56366 46d5a0 56361->56366 56367 46d14a 56367->56349 56367->56352 56368->56349 56369 497c0c 140 API calls 56368->56369 56381 46d207 56368->56381 56369->56381 56370 46a120 33 API calls 56370->56381 56371 414f78 18 API calls 56371->56381 56375 42d050 20 API calls 56375->56381 56376 403450 18 API calls 56376->56381 56377 46c4d8 144 API calls 56377->56381 56380 46c4d8 144 API calls 56380->56349 56381->56349 56381->56370 56381->56371 56381->56375 56381->56376 56381->56377 56382 46d383 56381->56382 56399 46d44b 56381->56399 56438 48594c 56381->56438 56463 46c244 56381->56463 56573 485444 56381->56573 56649 46c788 140 API calls 56381->56649 56470 46b48c 56382->56470 56384 46d3e9 56385 403450 18 API calls 56384->56385 56386 46d3f9 56385->56386 56387 46d455 56386->56387 56388 46d405 56386->56388 56391 46c4d8 144 API calls 56387->56391 56393 46d517 56387->56393 56389 4587ac 38 API calls 56388->56389 56390 46d424 56389->56390 56392 4587ac 38 API calls 56390->56392 56394 46d46f 56391->56394 56392->56399 56395 46d4b0 56394->56395 56396 46d498 SetActiveWindow 56394->56396 56531 46b834 56395->56531 56396->56395 56398 46d4da 56398->56399 56400 46d4fa 56398->56400 56399->56380 56401 46c354 142 API calls 56400->56401 56402 46d50f 56401->56402 56650 46d9d0 56403->56650 56406 46cdfe 56408 403420 4 API calls 56406->56408 56407 414f78 18 API calls 56411 46ccca 56407->56411 56409 46ce18 56408->56409 56410 403400 4 API calls 56409->56410 56413 46ce20 56410->56413 56412 46cdea 56411->56412 56653 4567b4 56411->56653 56412->56406 56415 403450 18 API calls 56412->56415 56416 403400 4 API calls 56413->56416 56415->56406 56417 46ce28 56416->56417 56417->56352 56418 46cdad 56418->56406 56418->56412 56423 42d1d8 21 API calls 56418->56423 56419 42d1d8 21 API calls 56421 46cd86 56419->56421 56420 46cd4d 56420->56406 56420->56418 56420->56419 56421->56418 56426 451c30 18 API calls 56421->56426 56422 46cce8 56422->56420 56424 467a8c 33 API calls 56422->56424 56425 46cdc3 56423->56425 56427 46cd17 56424->56427 56425->56412 56432 451c30 18 API calls 56425->56432 56428 46cd9d 56426->56428 56429 467a8c 33 API calls 56427->56429 56663 481214 57 API calls 56428->56663 56431 46cd28 56429->56431 56433 451c00 18 API calls 56431->56433 56434 46cdda 56432->56434 56435 46cd3d 56433->56435 56664 481214 57 API calls 56434->56664 56662 481214 57 API calls 56435->56662 56439 418670 56438->56439 56440 485983 GetForegroundWindow 56439->56440 56441 48598e SetActiveWindow 56440->56441 56442 48599c 56440->56442 56441->56442 56443 4859b3 56442->56443 56446 4859bd 56442->56446 56804 485848 56443->56804 56445 4859b8 56815 484874 56445->56815 56447 4859e9 56446->56447 56449 485a48 56446->56449 56450 485a7e 56446->56450 56447->56445 56452 4585a0 38 API calls 56447->56452 56453 467c8c 34 API calls 56449->56453 56454 467c8c 34 API calls 56450->56454 56452->56445 56455 485a6c 56453->56455 56457 485a7c 56454->56457 56458 403634 18 API calls 56455->56458 56814 481214 57 API calls 56457->56814 56458->56457 56459 485afc 56461 403420 4 API calls 56459->56461 56462 46d345 KiUserCallbackDispatcher 56461->56462 56462->56381 56464 46c255 56463->56464 56465 46c250 56463->56465 57199 46aff0 155 API calls 56464->57199 56466 46c253 56465->56466 57114 46bcb0 56465->57114 56466->56381 56468 46c25d 56468->56381 56471 403400 4 API calls 56470->56471 56472 46b4ba 56471->56472 57215 47ff34 56472->57215 56474 46b51d 56475 46b521 56474->56475 56476 46b53a 56474->56476 56477 467c8c 34 API calls 56475->56477 56478 46b52b 56476->56478 57222 497afc 18 API calls 56476->57222 56477->56478 56481 46b6c4 56478->56481 56482 46b659 56478->56482 56530 46b7ce 56478->56530 56480 46b556 56480->56478 56484 46b55e 56480->56484 56486 403494 4 API calls 56481->56486 56485 403494 4 API calls 56482->56485 56483 403420 4 API calls 56487 46b7f8 56483->56487 56488 46c4d8 144 API calls 56484->56488 56489 46b666 56485->56489 56490 46b6d1 56486->56490 56487->56384 56497 46b56b 56488->56497 56491 40357c 18 API calls 56489->56491 56492 40357c 18 API calls 56490->56492 56493 46b673 56491->56493 56494 46b6de 56492->56494 56495 40357c 18 API calls 56493->56495 56496 40357c 18 API calls 56494->56496 56498 46b680 56495->56498 56499 46b6eb 56496->56499 56504 46b594 SetActiveWindow 56497->56504 56505 46b5ac 56497->56505 56501 40357c 18 API calls 56498->56501 56500 40357c 18 API calls 56499->56500 56503 46b6f8 56500->56503 56502 46b68d 56501->56502 56506 467c8c 34 API calls 56502->56506 56507 40357c 18 API calls 56503->56507 56504->56505 56512 42fa40 28 API calls 56505->56512 56508 46b69b 56506->56508 56509 46b706 56507->56509 56510 40357c 18 API calls 56508->56510 56511 414fa8 18 API calls 56509->56511 56513 46b6a4 56510->56513 56514 46b6c2 56511->56514 56515 46b5c2 56512->56515 56517 40357c 18 API calls 56513->56517 56518 467fc4 25 API calls 56514->56518 57223 497da8 140 API calls 56515->57223 56520 46b6b1 56517->56520 56524 46b728 56518->56524 56519 46b5fd 56522 46c354 142 API calls 56519->56522 56521 414fa8 18 API calls 56520->56521 56521->56514 56523 46b62f 56522->56523 56523->56384 56525 414fa8 18 API calls 56524->56525 56524->56530 56526 46b78b 56525->56526 57224 4989bc MulDiv 56526->57224 56528 46b7a8 56529 414fa8 18 API calls 56528->56529 56529->56530 56530->56483 56533 46b860 56531->56533 56532 46b89b 56540 46ba10 56532->56540 56546 46b8af 56532->56546 56533->56532 57267 48023c 56533->57267 56535 46bb90 56537 403400 4 API calls 56535->56537 56536 46ba37 56542 414fa8 18 API calls 56536->56542 56543 46bbb5 56537->56543 56538 46b9ed 56544 46ba08 56538->56544 56550 402660 4 API calls 56538->56550 56539 402648 18 API calls 56539->56546 56540->56535 56540->56536 56541 46ba4d 56540->56541 56548 414fa8 18 API calls 56541->56548 56547 46ba4b 56542->56547 56543->56398 56544->56398 56545 402660 4 API calls 56545->56546 56546->56539 56546->56545 56556 46b922 56546->56556 57283 4989bc MulDiv 56547->57283 56548->56547 56549 46b9b9 56551 4587ac 38 API calls 56549->56551 56550->56544 56551->56538 56554 46ba6e 56557 467fc4 25 API calls 56554->56557 56555 4587ac 38 API calls 56555->56556 56556->56538 56556->56549 56556->56555 56559 40357c 18 API calls 56556->56559 57282 403ba4 21 API calls 56556->57282 56558 46baa2 56557->56558 57284 467fcc KiUserCallbackDispatcher 56558->57284 56559->56556 56561 46bab5 56562 467fc4 25 API calls 56561->56562 56563 46bac6 56562->56563 56564 414fa8 18 API calls 56563->56564 56565 46baf9 56564->56565 57285 4989bc MulDiv 56565->57285 56567 46bb16 56568 414fa8 18 API calls 56567->56568 56569 46bb4d 56568->56569 57286 4989bc MulDiv 56569->57286 56571 46bb6a 56572 414fa8 18 API calls 56571->56572 56572->56535 56574 46d9d0 63 API calls 56573->56574 56575 485487 56574->56575 56576 485490 56575->56576 57528 409070 19 API calls 56575->57528 56578 414f78 18 API calls 56576->56578 56579 4854a0 56578->56579 56580 403450 18 API calls 56579->56580 56581 4854ad 56580->56581 57314 46dd28 56581->57314 56584 4854bd 56586 414f78 18 API calls 56584->56586 56587 4854cd 56586->56587 56588 403450 18 API calls 56587->56588 56589 4854da 56588->56589 56590 46add8 SendMessageA 56589->56590 56591 4854f3 56590->56591 56592 485544 56591->56592 57530 47c050 37 API calls 56591->57530 56594 42466c 11 API calls 56592->56594 56595 48554e 56594->56595 56596 48555f SetActiveWindow 56595->56596 56597 485574 56595->56597 56596->56597 56598 484874 140 API calls 56597->56598 56599 485587 56598->56599 57343 477d0c 56599->57343 56645->56367 56646->56352 56647->56352 56648->56352 56649->56381 56665 46da68 56650->56665 56654 42d050 20 API calls 56653->56654 56659 4567e2 56654->56659 56655 4567fa 56656 403420 4 API calls 56655->56656 56658 456846 56656->56658 56658->56422 56659->56655 56660 42cd34 19 API calls 56659->56660 56661 403494 4 API calls 56659->56661 56779 45663c GetModuleHandleA GetProcAddress 56659->56779 56660->56659 56661->56659 56662->56420 56663->56418 56664->56412 56666 414f78 18 API calls 56665->56666 56667 46da9c 56666->56667 56726 467d24 56667->56726 56670 414fa8 18 API calls 56671 46daae 56670->56671 56672 46dabd 56671->56672 56674 46dad6 56671->56674 56755 481214 57 API calls 56672->56755 56676 46db1d 56674->56676 56678 46db04 56674->56678 56675 403420 4 API calls 56677 46ccae 56675->56677 56679 46db82 56676->56679 56692 46db21 56676->56692 56677->56406 56677->56407 56756 481214 57 API calls 56678->56756 56758 42cfdc CharNextA 56679->56758 56682 46db91 56683 46db95 56682->56683 56688 46dbae 56682->56688 56759 481214 57 API calls 56683->56759 56685 46db69 56757 481214 57 API calls 56685->56757 56687 46dbd2 56760 481214 57 API calls 56687->56760 56688->56687 56735 467e94 56688->56735 56692->56685 56692->56688 56695 46dbeb 56696 403778 18 API calls 56695->56696 56697 46dc01 56696->56697 56743 42ce2c 56697->56743 56700 46dc12 56761 467f20 18 API calls 56700->56761 56701 46dc43 56702 42cd5c 19 API calls 56701->56702 56704 46dc4e 56702->56704 56707 42c88c 19 API calls 56704->56707 56705 46dc25 56706 451c30 18 API calls 56705->56706 56708 46dc32 56706->56708 56709 46dc59 56707->56709 56762 481214 57 API calls 56708->56762 56711 42d050 20 API calls 56709->56711 56713 46dc64 56711->56713 56712 46dad1 56712->56675 56747 46d9fc 56713->56747 56715 46dc6c 56716 42d1d8 21 API calls 56715->56716 56717 46dc74 56716->56717 56718 46dc8e 56717->56718 56719 46dc78 56717->56719 56718->56712 56721 46dc98 56718->56721 56763 481214 57 API calls 56719->56763 56722 46dca0 GetDriveTypeA 56721->56722 56722->56712 56723 46dcab 56722->56723 56764 481214 57 API calls 56723->56764 56725 46dcbf 56725->56712 56731 467d3e 56726->56731 56727 407040 18 API calls 56727->56731 56729 42d050 20 API calls 56729->56731 56730 403450 18 API calls 56730->56731 56731->56727 56731->56729 56731->56730 56732 467d87 56731->56732 56765 42cf3c 56731->56765 56733 403420 4 API calls 56732->56733 56734 467da1 56733->56734 56734->56670 56736 467e9e 56735->56736 56737 467eb1 56736->56737 56776 42cfcc CharNextA 56736->56776 56737->56687 56739 467ec4 56737->56739 56740 467ece 56739->56740 56741 467efb 56740->56741 56777 42cfcc CharNextA 56740->56777 56741->56687 56741->56695 56744 42ce85 56743->56744 56745 42ce42 56743->56745 56744->56700 56744->56701 56745->56744 56778 42cfcc CharNextA 56745->56778 56748 46da61 56747->56748 56749 46da0f 56747->56749 56748->56715 56749->56748 56750 41f334 2 API calls 56749->56750 56751 46da1f 56750->56751 56752 46da39 SHPathPrepareForWriteA 56751->56752 56753 41f3e8 6 API calls 56752->56753 56754 46da59 56753->56754 56754->56715 56755->56712 56756->56712 56757->56712 56758->56682 56759->56712 56760->56712 56761->56705 56762->56712 56763->56712 56764->56725 56766 403494 4 API calls 56765->56766 56767 42cf4c 56766->56767 56768 403744 18 API calls 56767->56768 56772 42cf82 56767->56772 56774 42c8d4 IsDBCSLeadByte 56767->56774 56768->56767 56770 42cfc6 56770->56731 56772->56770 56773 4037b8 18 API calls 56772->56773 56775 42c8d4 IsDBCSLeadByte 56772->56775 56773->56772 56774->56767 56775->56772 56776->56736 56777->56740 56778->56745 56780 452efc 2 API calls 56779->56780 56781 456684 56780->56781 56782 456691 56781->56782 56783 456688 56781->56783 56784 4566d5 56782->56784 56785 4566a3 56782->56785 56786 403420 4 API calls 56783->56786 56787 42cc94 19 API calls 56784->56787 56788 42cc94 19 API calls 56785->56788 56789 45677a 56786->56789 56790 4566ef 56787->56790 56791 4566b4 56788->56791 56789->56659 56792 42cd5c 19 API calls 56790->56792 56793 42c88c 19 API calls 56791->56793 56794 4566fa 56792->56794 56795 4566bf 56793->56795 56796 42c88c 19 API calls 56794->56796 56797 4566c7 GetDiskFreeSpaceExA 56795->56797 56799 456705 56796->56799 56798 456743 56797->56798 56801 452f38 Wow64RevertWow64FsRedirection 56798->56801 56800 45670d GetDiskFreeSpaceA 56799->56800 56800->56798 56803 456722 56800->56803 56802 456758 56801->56802 56802->56659 56803->56798 56812 48587e 56804->56812 56805 48591b 56806 485926 56805->56806 56933 485810 GetTickCount 56805->56933 56806->56445 56812->56805 56820 42fa40 56812->56820 56836 4803ec 56812->56836 56840 47b418 56812->56840 56843 484b20 56812->56843 56940 47b45c 140 API calls 56812->56940 56814->56447 56816 4848c5 56815->56816 56817 484897 56815->56817 56819 484004 PostMessageA 56816->56819 57113 497b58 140 API calls 56817->57113 56819->56459 56821 42fa4c 56820->56821 56822 42fa6f GetActiveWindow GetFocus 56821->56822 56823 41f334 2 API calls 56822->56823 56824 42fa86 56823->56824 56825 42faa3 56824->56825 56826 42fa93 RegisterClassA 56824->56826 56827 42fb32 SetFocus 56825->56827 56828 42fab1 CreateWindowExA 56825->56828 56826->56825 56830 403400 4 API calls 56827->56830 56828->56827 56829 42fae4 56828->56829 56941 42470c 56829->56941 56832 42fb4e 56830->56832 56832->56812 56833 42fb0c 56834 42fb14 CreateWindowExA 56833->56834 56834->56827 56835 42fb2a ShowWindow 56834->56835 56835->56827 56837 480493 56836->56837 56838 480400 56836->56838 56837->56812 56838->56837 56947 457d00 29 API calls 56838->56947 56948 47b374 56840->56948 56844 4585a0 38 API calls 56843->56844 56845 484b65 56844->56845 56846 484b7c 56845->56846 56847 484b70 56845->56847 56849 4585a0 38 API calls 56846->56849 56848 4585a0 38 API calls 56847->56848 56850 484b7a 56848->56850 56849->56850 56851 484b98 56850->56851 56852 484b8c 56850->56852 56854 4585a0 38 API calls 56851->56854 56853 4585a0 38 API calls 56852->56853 56855 484b96 56853->56855 56854->56855 56856 47e4a8 152 API calls 56855->56856 56857 484bac 56856->56857 56858 403494 4 API calls 56857->56858 56859 484bb9 56858->56859 56860 40357c 18 API calls 56859->56860 56861 484bc4 56860->56861 56862 4585a0 38 API calls 56861->56862 56863 484bcc 56862->56863 56864 47e4a8 152 API calls 56863->56864 56865 484bd7 56864->56865 56866 484bfd 56865->56866 56867 403494 4 API calls 56865->56867 56869 484c22 56866->56869 56870 484d35 56866->56870 56868 484bea 56867->56868 56871 40357c 18 API calls 56868->56871 56956 484aac 56869->56956 56873 484d4b 56870->56873 56876 42d1ec 21 API calls 56870->56876 56874 484bf5 56871->56874 56877 47e4a8 152 API calls 56873->56877 56878 4585a0 38 API calls 56874->56878 56880 484d43 56876->56880 56881 484d5a 56877->56881 56878->56866 56879 484c45 56883 47e4a8 152 API calls 56879->56883 56880->56873 56884 484e09 56880->56884 56885 47e4a8 152 API calls 56881->56885 56882 453578 5 API calls 56887 484c3d 56882->56887 56888 484c54 56883->56888 56886 4585a0 38 API calls 56884->56886 56889 484d7a 56885->56889 56932 484d21 56886->56932 56887->56879 56890 484d26 56887->56890 56960 479f60 56888->56960 56986 47a088 56889->56986 56893 4585a0 38 API calls 56890->56893 56893->56932 56895 484d87 56898 451c30 18 API calls 56895->56898 56895->56932 56896 403420 4 API calls 56899 484e4d 56896->56899 56901 484d9c 56898->56901 56902 403420 4 API calls 56899->56902 56905 40357c 18 API calls 56901->56905 56906 484e5a 56902->56906 56911 484da9 56905->56911 56912 403420 4 API calls 56906->56912 57014 4071f8 33 API calls 56911->57014 56915 484e67 56912->56915 56915->56812 56917 484dc4 56919 42ed58 19 API calls 56917->56919 56932->56896 56937 485828 56933->56937 56935 48581a GetTickCount 56936 485845 56935->56936 56935->56937 56936->56806 56937->56935 56937->56936 56938 484868 12 API calls 56937->56938 57108 42f104 MsgWaitForMultipleObjects 56937->57108 57109 4857dc GetForegroundWindow 56937->57109 56938->56937 56940->56812 56942 42473e 56941->56942 56943 42471e GetWindowTextA 56941->56943 56945 403494 4 API calls 56942->56945 56944 4034e0 18 API calls 56943->56944 56946 42473c 56944->56946 56945->56946 56946->56833 56947->56837 56949 47b380 56948->56949 56953 47b3a8 56948->56953 56950 47b3a1 56949->56950 56954 453b40 18 API calls 56949->56954 56955 47b234 140 API calls 56950->56955 56953->56812 56954->56950 56955->56953 56957 484ab8 56956->56957 56958 484ad3 56957->56958 57016 453b40 18 API calls 56957->57016 56958->56879 56958->56882 56961 479f87 56960->56961 56962 479f90 56960->56962 56961->56962 56963 479fb7 56961->56963 57017 45580c 56962->57017 57059 479c7c 19 API calls 56963->57059 56968 479fe0 57060 479c90 19 API calls 56968->57060 56971 479fea 57061 479c90 19 API calls 56971->57061 56973 479ff4 57062 479c90 19 API calls 56973->57062 56975 479fff 57063 479c7c 19 API calls 56975->57063 56977 47a00c 57064 479c7c 19 API calls 56977->57064 56979 47a017 57065 407710 19 API calls 56979->57065 56981 47a01f 57066 479c90 19 API calls 56981->57066 56983 47a02a 56987 47a0af 56986->56987 56988 47a0b8 56986->56988 56987->56988 56989 47a0df 56987->56989 57086 455a8c 56988->57086 57099 479c90 19 API calls 56989->57099 56993 403400 4 API calls 56995 47a199 56993->56995 56994 47a106 57100 479c90 19 API calls 56994->57100 56995->56895 56997 47a110 57101 479c90 19 API calls 56997->57101 56999 47a11a 57102 479c90 19 API calls 56999->57102 57001 47a125 57103 479c7c 19 API calls 57001->57103 57003 47a132 57104 479c7c 19 API calls 57003->57104 57005 47a13d 57105 407710 19 API calls 57005->57105 57007 47a145 57106 479c90 19 API calls 57007->57106 57009 47a150 57107 479de0 41 API calls 57009->57107 57014->56917 57016->56958 57018 455832 57017->57018 57019 45585d 57018->57019 57020 45584e 57018->57020 57022 403634 18 API calls 57019->57022 57021 403494 4 API calls 57020->57021 57027 455858 57021->57027 57023 455875 57022->57023 57024 45588f 57023->57024 57026 403634 18 API calls 57023->57026 57084 42cd8c 19 API calls 57024->57084 57026->57024 57028 455978 57027->57028 57029 42dd54 19 API calls 57027->57029 57068 452fc0 57028->57068 57029->57028 57030 455899 57032 4558b4 57030->57032 57085 42cd8c 19 API calls 57030->57085 57034 455905 57032->57034 57035 4558ce 57032->57035 57042 455903 57032->57042 57036 42dd28 19 API calls 57034->57036 57038 42dd54 19 API calls 57035->57038 57039 455912 57036->57039 57037 4559aa 57040 4559b6 GetLastError 57037->57040 57041 4559bf CloseHandle 57037->57041 57043 4558db 57038->57043 57045 42c88c 19 API calls 57039->57045 57046 4559d7 57040->57046 57075 455778 57041->57075 57042->57027 57050 42cd34 19 API calls 57042->57050 57044 42c88c 19 API calls 57043->57044 57048 4558e6 57044->57048 57049 45591d 57045->57049 57051 403420 4 API calls 57046->57051 57052 403634 18 API calls 57048->57052 57053 403634 18 API calls 57049->57053 57050->57027 57054 4559f1 57051->57054 57052->57042 57053->57042 57055 403400 4 API calls 57054->57055 57056 4559f9 57055->57056 57059->56968 57060->56971 57061->56973 57062->56975 57063->56977 57064->56979 57065->56981 57066->56983 57069 452efc 2 API calls 57068->57069 57070 452fd9 57069->57070 57071 452fe4 CreateProcessA GetLastError 57070->57071 57072 452fdd 57070->57072 57073 452f38 Wow64RevertWow64FsRedirection 57071->57073 57072->57037 57074 453039 57073->57074 57074->57037 57076 4557b0 57075->57076 57077 45579c WaitForInputIdle 57075->57077 57078 4557d0 GetExitCodeProcess 57076->57078 57082 4557b7 MsgWaitForMultipleObjects 57076->57082 57077->57076 57079 4557e4 CloseHandle 57078->57079 57080 4557de 57078->57080 57079->57046 57080->57079 57082->57076 57083 4557ce 57082->57083 57083->57078 57084->57030 57085->57032 57087 455aa7 57086->57087 57088 42cd34 19 API calls 57087->57088 57091 455ad3 57087->57091 57089 455ac5 57088->57089 57090 42dd54 19 API calls 57089->57090 57089->57091 57090->57091 57092 455b1b ShellExecuteEx 57091->57092 57093 455b42 57092->57093 57094 455b39 GetLastError 57092->57094 57095 455b5b 57093->57095 57096 455778 4 API calls 57093->57096 57094->57095 57097 403400 4 API calls 57095->57097 57096->57095 57098 455b70 57097->57098 57098->56993 57099->56994 57100->56997 57101->56999 57102->57001 57103->57003 57104->57005 57105->57007 57106->57009 57108->56937 57110 485808 57109->57110 57111 4857ef GetWindowThreadProcessId 57109->57111 57110->56937 57111->57110 57112 4857fd GetCurrentProcessId 57111->57112 57112->57110 57113->56816 57116 46bcf7 57114->57116 57115 46c16f 57118 46c18a 57115->57118 57119 46c1bb 57115->57119 57116->57115 57117 46bdb2 57116->57117 57122 403494 4 API calls 57116->57122 57121 46bdd3 57117->57121 57125 46be14 57117->57125 57123 403494 4 API calls 57118->57123 57120 403494 4 API calls 57119->57120 57124 46c1c9 57120->57124 57126 403494 4 API calls 57121->57126 57127 46bd36 57122->57127 57128 46c198 57123->57128 57212 46a6cc 26 API calls 57124->57212 57129 403400 4 API calls 57125->57129 57131 46bde1 57126->57131 57132 414f78 18 API calls 57127->57132 57211 46a6cc 26 API calls 57128->57211 57134 46be12 57129->57134 57135 414f78 18 API calls 57131->57135 57136 46bd57 57132->57136 57158 46bef8 57134->57158 57200 46add8 57134->57200 57140 46be02 57135->57140 57138 403634 18 API calls 57136->57138 57137 46c1a6 57139 403400 4 API calls 57137->57139 57142 46bd67 57138->57142 57144 46c1ec 57139->57144 57141 403634 18 API calls 57140->57141 57141->57134 57146 414f78 18 API calls 57142->57146 57149 403400 4 API calls 57144->57149 57145 46bf80 57147 403400 4 API calls 57145->57147 57150 46bd7b 57146->57150 57151 46bf7e 57147->57151 57148 46be34 57152 46be72 57148->57152 57153 46be3a 57148->57153 57154 46c1f4 57149->57154 57150->57117 57160 414f78 18 API calls 57150->57160 57206 46b214 152 API calls 57151->57206 57155 403400 4 API calls 57152->57155 57156 403494 4 API calls 57153->57156 57157 403420 4 API calls 57154->57157 57159 46be70 57155->57159 57161 46be48 57156->57161 57162 46c201 57157->57162 57158->57145 57163 46bf3f 57158->57163 57173 46b0cc 152 API calls 57159->57173 57164 46bda2 57160->57164 57166 47e4a8 152 API calls 57161->57166 57162->56466 57167 403494 4 API calls 57163->57167 57169 403634 18 API calls 57164->57169 57171 46be60 57166->57171 57168 46bf4d 57167->57168 57172 414f78 18 API calls 57168->57172 57169->57117 57170 46bfa9 57178 46bfb4 57170->57178 57179 46c00a 57170->57179 57174 403634 18 API calls 57171->57174 57175 46bf6e 57172->57175 57176 46be99 57173->57176 57174->57159 57177 403634 18 API calls 57175->57177 57182 46bea4 57176->57182 57183 46befa 57176->57183 57177->57151 57181 403494 4 API calls 57178->57181 57180 403400 4 API calls 57179->57180 57186 46c012 57180->57186 57188 46bfc2 57181->57188 57185 403494 4 API calls 57182->57185 57184 403400 4 API calls 57183->57184 57184->57158 57190 46beb2 57185->57190 57198 46c0bb 57186->57198 57207 497afc 18 API calls 57186->57207 57188->57186 57192 403634 18 API calls 57188->57192 57194 46c008 57188->57194 57189 46c035 57189->57198 57208 497da8 140 API calls 57189->57208 57190->57158 57193 403634 18 API calls 57190->57193 57192->57188 57193->57190 57194->57186 57196 46c15c 57210 4295d4 SendMessageA SendMessageA 57196->57210 57209 429584 SendMessageA 57198->57209 57199->56468 57213 42a4d0 SendMessageA 57200->57213 57202 46ade7 57203 46ae07 57202->57203 57214 42a4d0 SendMessageA 57202->57214 57203->57148 57205 46adf7 57205->57148 57206->57170 57207->57189 57208->57198 57209->57196 57210->57115 57211->57137 57212->57137 57213->57202 57214->57205 57216 47ff4d 57215->57216 57219 47ff8a 57215->57219 57225 45653c 57216->57225 57219->56474 57221 47ffa1 57221->56474 57222->56480 57223->56519 57224->56528 57226 45654d 57225->57226 57227 456551 57226->57227 57228 45655a 57226->57228 57250 456240 57227->57250 57258 456320 43 API calls 57228->57258 57231 456557 57231->57219 57232 47fba4 57231->57232 57233 47fca0 57232->57233 57240 47fbe4 57232->57240 57236 47b7d4 140 API calls 57233->57236 57239 47e4a8 152 API calls 57233->57239 57242 4548fc 34 API calls 57233->57242 57245 47fc43 57233->57245 57234 403420 4 API calls 57235 47fd83 57234->57235 57235->57221 57236->57233 57237 47b914 140 API calls 57237->57240 57238 47ba90 18 API calls 57238->57240 57239->57233 57240->57233 57240->57237 57240->57238 57243 47e4a8 152 API calls 57240->57243 57240->57245 57247 47fc4c 57240->57247 57241 47e4a8 152 API calls 57241->57247 57242->57233 57243->57240 57244 42cdbc 19 API calls 57244->57247 57245->57234 57246 42cde4 19 API calls 57246->57247 57247->57240 57247->57241 57247->57244 57247->57246 57249 47fc8d 57247->57249 57266 47f8b0 158 API calls 57247->57266 57249->57245 57251 42e2ac RegOpenKeyExA 57250->57251 57252 45625d 57251->57252 57253 4562ab 57252->57253 57259 456174 57252->57259 57253->57231 57256 456174 20 API calls 57257 45628c RegCloseKey 57256->57257 57257->57231 57258->57231 57260 42e1e8 20 API calls 57259->57260 57264 45619c 57260->57264 57261 45620c 57262 403420 4 API calls 57261->57262 57263 456226 57262->57263 57263->57256 57264->57261 57265 40352c 18 API calls 57264->57265 57265->57264 57266->57247 57268 402648 18 API calls 57267->57268 57269 480260 57268->57269 57270 47fba4 167 API calls 57269->57270 57271 480283 57270->57271 57272 480318 57271->57272 57273 480290 57271->57273 57275 48032c 57272->57275 57287 47ffcc 57272->57287 57310 497b58 140 API calls 57273->57310 57278 480358 57275->57278 57280 402660 4 API calls 57275->57280 57276 4802d2 57276->56532 57279 402660 4 API calls 57278->57279 57281 480362 57279->57281 57280->57275 57281->56532 57282->56556 57283->56554 57284->56561 57285->56567 57286->56571 57288 403494 4 API calls 57287->57288 57289 47fffb 57288->57289 57290 42cdbc 19 API calls 57289->57290 57299 48005f 57289->57299 57291 480016 57290->57291 57311 42ce90 21 API calls 57291->57311 57292 48006f 57294 403400 4 API calls 57292->57294 57297 4801a9 57294->57297 57295 480130 57303 402648 18 API calls 57295->57303 57296 4800db 57296->57292 57296->57295 57313 454408 25 API calls 57296->57313 57300 403420 4 API calls 57297->57300 57299->57292 57299->57296 57302 402660 4 API calls 57299->57302 57304 4801b6 57300->57304 57301 480125 57305 403494 4 API calls 57301->57305 57302->57299 57306 480144 57303->57306 57304->57275 57305->57295 57307 48016c MultiByteToWideChar 57306->57307 57307->57292 57308 480021 57308->57299 57312 42ed30 CharNextA 57308->57312 57310->57276 57311->57308 57312->57308 57313->57301 57315 46dd51 57314->57315 57316 46dd9e 57315->57316 57317 414f78 18 API calls 57315->57317 57319 403420 4 API calls 57316->57319 57318 46dd67 57317->57318 57534 467db0 20 API calls 57318->57534 57321 46de48 57319->57321 57321->56584 57529 409070 19 API calls 57321->57529 57322 46dd6f 57323 414fa8 18 API calls 57322->57323 57324 46dd7d 57323->57324 57325 46dd8a 57324->57325 57327 46dda3 57324->57327 57535 481214 57 API calls 57325->57535 57328 46ddbb 57327->57328 57330 467e94 CharNextA 57327->57330 57536 481214 57 API calls 57328->57536 57331 46ddb7 57330->57331 57331->57328 57332 46ddd1 57331->57332 57333 46ddd7 57332->57333 57334 46dded 57332->57334 57537 481214 57 API calls 57333->57537 57336 42ce2c CharNextA 57334->57336 57337 46ddfa 57336->57337 57337->57316 57538 467f20 18 API calls 57337->57538 57339 46de11 57340 451c30 18 API calls 57339->57340 57341 46de1e 57340->57341 57539 481214 57 API calls 57341->57539 57344 4585a0 38 API calls 57343->57344 57345 477d58 57344->57345 57346 407738 SetCurrentDirectoryA 57345->57346 57347 477d62 57346->57347 57540 46f914 57347->57540 57351 477d75 57548 45a9d8 57351->57548 57354 47e4a8 152 API calls 57355 477dcc 57354->57355 57357 477ddc 57355->57357 58105 453b40 18 API calls 57355->58105 57358 477dfe 57357->57358 58106 453b40 18 API calls 57357->58106 57359 47af98 34 API calls 57358->57359 57361 477e09 57359->57361 57552 47b664 57361->57552 57530->56592 57534->57322 57535->57316 57536->57316 57537->57316 57538->57339 57539->57316 57541 46f9c0 57540->57541 57542 46f945 57540->57542 57544 46f9c8 57541->57544 57542->57541 57543 47b914 140 API calls 57542->57543 57543->57542 57545 46f9ee 57544->57545 58111 450188 57545->58111 57547 46fa4a 57547->57351 57549 45a9de 57548->57549 57550 45acc0 4 API calls 57549->57550 57551 45a9fa 57550->57551 57551->57354 57553 47b671 57552->57553 58105->57357 58106->57358 58114 45019c 58111->58114 58115 4501ad 58114->58115 58116 450199 58115->58116 58117 4501d7 MulDiv 58115->58117 58116->57547 58118 418670 58117->58118 58119 450202 SendMessageA 58118->58119 58119->58116 59216 42e87f SetErrorMode 59217 416a7c DestroyWindow 53522 42409c 53527 4240d2 53522->53527 53525 42417c 53528 424183 53525->53528 53529 4241b7 53525->53529 53526 42411d 53530 424123 53526->53530 53531 4241e0 53526->53531 53550 4240f3 53527->53550 53616 423ff8 53527->53616 53532 424441 53528->53532 53533 424189 53528->53533 53536 4241c2 53529->53536 53537 42452a IsIconic 53529->53537 53534 424155 53530->53534 53535 424128 53530->53535 53538 4241f2 53531->53538 53539 4241fb 53531->53539 53532->53550 53588 424467 IsWindowEnabled 53532->53588 53541 4243a3 SendMessageA 53533->53541 53542 424197 53533->53542 53534->53550 53566 42416e 53534->53566 53567 4242cf 53534->53567 53544 424286 53535->53544 53545 42412e 53535->53545 53546 424566 53536->53546 53547 4241cb 53536->53547 53543 42453e GetFocus 53537->53543 53537->53550 53548 424208 53538->53548 53549 4241f9 53538->53549 53639 424624 11 API calls 53539->53639 53541->53550 53542->53550 53552 424150 53542->53552 53583 4243e6 53542->53583 53543->53550 53555 42454f 53543->53555 53652 424014 NtdllDefWindowProc_A 53544->53652 53556 424137 53545->53556 53557 4242ae PostMessageA 53545->53557 53671 424ce0 WinHelpA PostMessageA 53546->53671 53547->53552 53553 42457d 53547->53553 53640 42466c IsIconic 53548->53640 53648 424014 NtdllDefWindowProc_A 53549->53648 53552->53550 53638 424014 NtdllDefWindowProc_A 53552->53638 53564 424586 53553->53564 53565 42459b 53553->53565 53670 41f484 GetCurrentThreadId EnumThreadWindows 53555->53670 53562 424140 53556->53562 53563 424335 53556->53563 53620 424014 NtdllDefWindowProc_A 53557->53620 53571 424149 53562->53571 53572 42425e IsIconic 53562->53572 53573 42433e 53563->53573 53574 42436f 53563->53574 53672 424964 53564->53672 53678 4249bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 53565->53678 53566->53552 53576 42429b 53566->53576 53621 424014 NtdllDefWindowProc_A 53567->53621 53570 424556 53570->53550 53585 42455e SetFocus 53570->53585 53571->53552 53586 424221 53571->53586 53578 42427a 53572->53578 53579 42426e 53572->53579 53587 423fa4 5 API calls 53573->53587 53635 424014 NtdllDefWindowProc_A 53574->53635 53653 424608 53576->53653 53577 42457b 53577->53550 53651 424014 NtdllDefWindowProc_A 53578->53651 53650 424050 29 API calls 53579->53650 53583->53550 53604 424408 IsWindowEnabled 53583->53604 53584 4242d5 53592 424313 53584->53592 53593 4242f1 53584->53593 53585->53550 53586->53550 53649 4230dc ShowWindow PostMessageA PostQuitMessage 53586->53649 53594 424346 53587->53594 53588->53550 53595 424475 53588->53595 53591 424375 53596 42438d 53591->53596 53636 41f334 GetCurrentThreadId EnumThreadWindows 53591->53636 53628 423f14 53592->53628 53622 423fa4 53593->53622 53600 424358 53594->53600 53658 41f3e8 53594->53658 53608 42447c IsWindowVisible 53595->53608 53603 423f14 6 API calls 53596->53603 53664 424014 NtdllDefWindowProc_A 53600->53664 53603->53550 53604->53550 53609 424416 53604->53609 53608->53550 53610 42448a GetFocus 53608->53610 53665 4127a0 21 API calls 53609->53665 53666 418670 53610->53666 53613 42449f SetFocus 53668 4156d0 53613->53668 53617 424002 53616->53617 53618 42400d 53616->53618 53617->53618 53679 408bb0 GetSystemDefaultLCID 53617->53679 53618->53525 53618->53526 53620->53550 53621->53584 53623 423ff2 PostMessageA 53622->53623 53624 423fb3 53622->53624 53623->53550 53624->53623 53625 423fea 53624->53625 53627 423fde SetWindowPos 53624->53627 53742 40b668 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53625->53742 53627->53624 53627->53625 53629 423f9d PostMessageA 53628->53629 53630 423f24 53628->53630 53629->53550 53630->53629 53631 423f2a EnumWindows 53630->53631 53631->53629 53632 423f46 GetWindow GetWindowLongA 53631->53632 53743 423eac GetWindow 53631->53743 53633 423f65 53632->53633 53633->53629 53634 423f91 SetWindowPos 53633->53634 53634->53629 53634->53633 53635->53591 53637 41f3b9 53636->53637 53637->53596 53638->53550 53639->53550 53641 4246b3 53640->53641 53642 42467d SetActiveWindow 53640->53642 53641->53550 53746 423adc 53642->53746 53645 423fa4 5 API calls 53646 42469a 53645->53646 53646->53641 53647 4246ad SetFocus 53646->53647 53647->53641 53648->53550 53649->53550 53650->53550 53651->53550 53652->53550 53758 41dfc0 53653->53758 53656 424620 53656->53550 53657 424614 LoadIconA 53657->53656 53659 41f3f0 IsWindow 53658->53659 53660 41f41c 53658->53660 53661 41f40a 53659->53661 53662 41f3ff EnableWindow 53659->53662 53660->53600 53661->53659 53661->53660 53663 402660 4 API calls 53661->53663 53662->53661 53663->53661 53664->53550 53665->53550 53667 41867a 53666->53667 53667->53613 53669 4156eb SetFocus 53668->53669 53669->53550 53670->53570 53671->53577 53673 424970 53672->53673 53675 42498a 53672->53675 53674 424977 SendMessageA 53673->53674 53677 42499f 53673->53677 53674->53677 53676 402648 18 API calls 53675->53676 53676->53677 53677->53550 53678->53577 53734 4089f8 GetLocaleInfoA 53679->53734 53682 403450 18 API calls 53683 408bf0 53682->53683 53684 4089f8 19 API calls 53683->53684 53685 408c05 53684->53685 53686 4089f8 19 API calls 53685->53686 53687 408c29 53686->53687 53740 408a44 GetLocaleInfoA 53687->53740 53690 408a44 GetLocaleInfoA 53691 408c59 53690->53691 53692 4089f8 19 API calls 53691->53692 53693 408c73 53692->53693 53694 408a44 GetLocaleInfoA 53693->53694 53695 408c90 53694->53695 53696 4089f8 19 API calls 53695->53696 53697 408caa 53696->53697 53698 403450 18 API calls 53697->53698 53699 408cb7 53698->53699 53700 4089f8 19 API calls 53699->53700 53701 408ccc 53700->53701 53702 403450 18 API calls 53701->53702 53703 408cd9 53702->53703 53704 408a44 GetLocaleInfoA 53703->53704 53705 408ce7 53704->53705 53706 4089f8 19 API calls 53705->53706 53707 408d01 53706->53707 53708 403450 18 API calls 53707->53708 53709 408d0e 53708->53709 53710 4089f8 19 API calls 53709->53710 53711 408d23 53710->53711 53712 403450 18 API calls 53711->53712 53713 408d30 53712->53713 53714 4089f8 19 API calls 53713->53714 53715 408d45 53714->53715 53716 408d62 53715->53716 53717 408d53 53715->53717 53718 403494 4 API calls 53716->53718 53719 403494 4 API calls 53717->53719 53720 408d60 53718->53720 53719->53720 53721 4089f8 19 API calls 53720->53721 53722 408d84 53721->53722 53723 408da1 53722->53723 53724 408d92 53722->53724 53726 403400 4 API calls 53723->53726 53725 403494 4 API calls 53724->53725 53727 408d9f 53725->53727 53726->53727 53728 403634 18 API calls 53727->53728 53729 408dc3 53728->53729 53730 403634 18 API calls 53729->53730 53731 408ddd 53730->53731 53732 403420 4 API calls 53731->53732 53733 408df7 53732->53733 53733->53618 53735 408a31 53734->53735 53736 408a1f 53734->53736 53738 403494 4 API calls 53735->53738 53737 4034e0 18 API calls 53736->53737 53739 408a2f 53737->53739 53738->53739 53739->53682 53741 408a60 53740->53741 53741->53690 53742->53623 53744 423ecd GetWindowLongA 53743->53744 53745 423ed9 53743->53745 53744->53745 53754 423a88 SystemParametersInfoA 53746->53754 53749 423af5 ShowWindow 53751 423b00 53749->53751 53752 423b07 53749->53752 53757 423ab8 SystemParametersInfoA 53751->53757 53752->53645 53755 423aa6 53754->53755 53755->53749 53756 423ab8 SystemParametersInfoA 53755->53756 53756->53749 53757->53752 53761 41dfe4 53758->53761 53762 41dfca 53761->53762 53763 41dff1 53761->53763 53762->53656 53762->53657 53763->53762 53770 40cf10 19 API calls 53763->53770 53765 41e00e 53765->53762 53766 41e028 53765->53766 53767 41e01b 53765->53767 53771 41c21c 25 API calls 53766->53771 53772 41b818 19 API calls 53767->53772 53770->53765 53771->53762 53772->53762

                                                                                    Executed Functions

                                                                                    Function 00490830 Relevance: 141.9, APIs: 22, Strings: 58, Instructions: 1920COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$ISWILDCARD$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT$WILDCARDMATCH
                                                                                    • API String ID: 0-2995905506
                                                                                    • Opcode ID: 37ee447e99650c0fc0ba028983b4eb2a4eaabcc94e743dde242ae03aac04c445
                                                                                    • Instruction ID: 531e8d64222ffae2c249fa443d2387929f23501f78df198fe4c1f2eaeed2c77d
                                                                                    • Opcode Fuzzy Hash: 37ee447e99650c0fc0ba028983b4eb2a4eaabcc94e743dde242ae03aac04c445
                                                                                    • Instruction Fuzzy Hash: 8FD25270B041055BDF10EB79CD829AEBAA5AF48314F50943FB802AB796DF3CDD068799
                                                                                    Function 00472090 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 961COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Same time stamp. Skipping., xrefs: 0047273D
                                                                                    • Will register the file (a DLL/OCX) later., xrefs: 00472F16
                                                                                    • Version of existing file: %u.%u.%u.%u, xrefs: 00472564
                                                                                    • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 004726AC
                                                                                    • User opted not to overwrite the existing file. Skipping., xrefs: 00472835
                                                                                    • Version of our file: %u.%u.%u.%u, xrefs: 004724D8
                                                                                    • Uninstaller requires administrator: %s, xrefs: 00472B77
                                                                                    • Existing file is a newer version. Skipping., xrefs: 004725EA
                                                                                    • Dest file exists., xrefs: 004723A3
                                                                                    • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0047287E
                                                                                    • @, xrefs: 00472198
                                                                                    • -- File entry --, xrefs: 004720E3
                                                                                    • Non-default bitness: 64-bit, xrefs: 00472297
                                                                                    • Couldn't read time stamp. Skipping., xrefs: 0047271D
                                                                                    • Existing file has a later time stamp. Skipping., xrefs: 004727B7
                                                                                    • , xrefs: 004725B7, 00472788, 00472806
                                                                                    • Stripped read-only attribute., xrefs: 004728AF
                                                                                    • Skipping due to "onlyifdoesntexist" flag., xrefs: 004723B6
                                                                                    • Time stamp of our file: (failed to read), xrefs: 0047238F
                                                                                    • Time stamp of existing file: (failed to read), xrefs: 0047241F
                                                                                    • @G, xrefs: 00473102
                                                                                    • Version of existing file: (none), xrefs: 004726E2
                                                                                    • Dest filename: %s, xrefs: 0047227C
                                                                                    • Will register the file (a type library) later., xrefs: 00472F0A
                                                                                    • Non-default bitness: 32-bit, xrefs: 004722A3
                                                                                    • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 004726B8
                                                                                    • Dest file is protected by Windows File Protection., xrefs: 004722D5
                                                                                    • Incrementing shared file count (64-bit)., xrefs: 00472F83
                                                                                    • Time stamp of existing file: %s, xrefs: 00472413
                                                                                    • Existing file is protected by Windows File Protection. Skipping., xrefs: 004727D4
                                                                                    • Failed to strip read-only attribute., xrefs: 004728BB
                                                                                    • Time stamp of our file: %s, xrefs: 00472383
                                                                                    • InUn, xrefs: 00472B47
                                                                                    • Same version. Skipping., xrefs: 004726CD
                                                                                    • Version of our file: (none), xrefs: 004724E4
                                                                                    • .tmp, xrefs: 0047299F
                                                                                    • Skipping due to "onlyifdestfileexists" flag., xrefs: 004728E2
                                                                                    • Incrementing shared file count (32-bit)., xrefs: 00472F9C
                                                                                    • Installing the file., xrefs: 004728F1
                                                                                    • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0047269D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$@G
                                                                                    • API String ID: 0-3139656284
                                                                                    • Opcode ID: 2ca944abd11ffe5ed3deb4ea42b644508402c02fe05ec4600210d7556e9b51bb
                                                                                    • Instruction ID: e846c5e2122373c9cf2c974f964045fbb5c4e19b24ce52c4775c4ed8f2df76e0
                                                                                    • Opcode Fuzzy Hash: 2ca944abd11ffe5ed3deb4ea42b644508402c02fe05ec4600210d7556e9b51bb
                                                                                    • Instruction Fuzzy Hash: 74929434A04288DFCB11DFA5C985BDDBBB0AF05305F1480ABE848BB392D7789E45DB19
                                                                                    Function 0042E52C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2712 42e52c-42e53d 2713 42e548-42e56d AllocateAndInitializeSid 2712->2713 2714 42e53f-42e543 2712->2714 2715 42e717-42e71f 2713->2715 2716 42e573-42e590 GetVersion 2713->2716 2714->2715 2717 42e592-42e5a7 GetModuleHandleA GetProcAddress 2716->2717 2718 42e5a9-42e5ab 2716->2718 2717->2718 2719 42e5d2-42e5ec GetCurrentThread OpenThreadToken 2718->2719 2720 42e5ad-42e5bb CheckTokenMembership 2718->2720 2723 42e623-42e64b GetTokenInformation 2719->2723 2724 42e5ee-42e5f8 GetLastError 2719->2724 2721 42e5c1-42e5cd 2720->2721 2722 42e6f9-42e70f FreeSid 2720->2722 2721->2722 2725 42e666-42e68a call 402648 GetTokenInformation 2723->2725 2726 42e64d-42e655 GetLastError 2723->2726 2727 42e604-42e617 GetCurrentProcess OpenProcessToken 2724->2727 2728 42e5fa-42e5ff call 4031bc 2724->2728 2738 42e698-42e6a0 2725->2738 2739 42e68c-42e696 call 4031bc * 2 2725->2739 2726->2725 2729 42e657-42e661 call 4031bc * 2 2726->2729 2727->2723 2732 42e619-42e61e call 4031bc 2727->2732 2728->2715 2729->2715 2732->2715 2743 42e6a2-42e6a3 2738->2743 2744 42e6d3-42e6f1 call 402660 CloseHandle 2738->2744 2739->2715 2745 42e6a5-42e6b8 EqualSid 2743->2745 2749 42e6ba-42e6c7 2745->2749 2750 42e6cf-42e6d1 2745->2750 2749->2750 2753 42e6c9-42e6cd 2749->2753 2750->2744 2750->2745 2753->2744
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E566
                                                                                    • GetVersion.KERNEL32(00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E583
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E59C
                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E5A2
                                                                                    • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E710,?,0049C788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E5B7
                                                                                    • FreeSid.ADVAPI32(00000000,0042E717,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E70A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                    • String ID: CheckTokenMembership$advapi32.dll
                                                                                    • API String ID: 2252812187-1888249752
                                                                                    • Opcode ID: d0ffce1a219d86b1bd6f850fd0d6e3702cc0aa4fa018b77625bad589c7fe0be6
                                                                                    • Instruction ID: bd7b6b299922f244852f5898a9d4d4a5ef1c154b8f3e5ea1adaf5ad24a825e41
                                                                                    • Opcode Fuzzy Hash: d0ffce1a219d86b1bd6f850fd0d6e3702cc0aa4fa018b77625bad589c7fe0be6
                                                                                    • Instruction Fuzzy Hash: 36519471B44315AEEB11EAE69C42B7F77ACDB19304F94047BB500EB282D57CDD048B69
                                                                                    Function 00456E68 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2755 456e68-456e9a call 403728 2758 456eb5 2755->2758 2759 456e9c-456eb3 CoCreateInstance 2755->2759 2760 456eba-456ebc 2758->2760 2759->2760 2761 456ebe-456edb CoCreateInstance 2760->2761 2762 456ee9-456f2d call 403738 * 2 2760->2762 2761->2762 2763 456edd-456ee4 call 453cac 2761->2763 2771 456f2f-456f35 call 456c8c 2762->2771 2772 456f3a-456f3e 2762->2772 2763->2762 2771->2772 2774 456f40-456f47 2772->2774 2775 456f7e-456f8d 2772->2775 2776 456f49-456f63 call 47e4a8 call 42dfa0 2774->2776 2777 456f68-456f79 call 403738 2774->2777 2783 456fa0-456fa5 2775->2783 2784 456f8f-456f9b call 403738 2775->2784 2776->2777 2777->2775 2785 456fb5-456fbc call 456c6c 2783->2785 2786 456fa7-456fb0 2783->2786 2784->2783 2792 456fc2-456fca 2785->2792 2793 45711d-457130 2785->2793 2786->2785 2794 456fd6-456fe9 2792->2794 2795 456fcc-456fd0 2792->2795 2797 457132-457139 call 453cac 2793->2797 2798 45713e-457142 2793->2798 2803 456ff7-456ffb 2794->2803 2804 456feb-456ff2 call 453cac 2794->2804 2795->2793 2795->2794 2797->2798 2801 457144-45714b call 456c4c 2798->2801 2802 457167-45716f call 403ca4 2798->2802 2801->2802 2819 45714d-457165 call 42c988 call 403ca4 2801->2819 2817 457172-457176 2802->2817 2805 456ffd-45701d 2803->2805 2806 45702b-45702d 2803->2806 2804->2803 2805->2806 2820 45701f-457026 call 453cac 2805->2820 2811 45702f-457043 call 403ca4 2806->2811 2812 457098-45709c 2806->2812 2829 457045 call 409090 2811->2829 2830 45704a-45706c 2811->2830 2815 457104-45710f 2812->2815 2816 45709e-4570be 2812->2816 2815->2793 2833 457111-457118 call 453cac 2815->2833 2834 4570c0-4570c7 call 453cac 2816->2834 2835 4570cc-4570d3 call 456c7c 2816->2835 2821 45717d-457187 2817->2821 2822 457178 call 409090 2817->2822 2819->2817 2820->2806 2836 45718c-45718e 2821->2836 2822->2821 2829->2830 2848 45706e-457075 call 453cac 2830->2848 2849 45707a-457090 SysFreeString 2830->2849 2833->2793 2834->2835 2835->2815 2850 4570d5-4570f6 2835->2850 2842 457190-457197 call 453cac 2836->2842 2843 45719c-4571bb call 456d80 2836->2843 2842->2843 2853 4571c6-4571ca 2843->2853 2854 4571bd-4571c1 SysFreeString 2843->2854 2848->2849 2850->2815 2860 4570f8-4570ff call 453cac 2850->2860 2855 4571d5-4571d9 2853->2855 2856 4571cc-4571d0 2853->2856 2854->2853 2858 4571e4-4571ed 2855->2858 2859 4571db-4571df 2855->2859 2856->2855 2859->2858 2860->2815
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(0049CA78,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456EAE
                                                                                    • CoCreateInstance.OLE32(0049C764,00000000,00000001,0049C774,?,00000000,00457213), ref: 00456ED4
                                                                                    • SysFreeString.OLEAUT32(00000000), ref: 0045708B
                                                                                    Strings
                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00457070
                                                                                    • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456FED
                                                                                    • IPropertyStore::Commit, xrefs: 00457113
                                                                                    • %ProgramFiles(x86)%\, xrefs: 00456F5E
                                                                                    • CoCreateInstance, xrefs: 00456EDF
                                                                                    • IPersistFile::Save, xrefs: 00457192
                                                                                    • {pf32}\, xrefs: 00456F4E
                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00457021
                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 004570C2
                                                                                    • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004570FA
                                                                                    • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00457134
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInstance$FreeString
                                                                                    • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                    • API String ID: 308859552-2363233914
                                                                                    • Opcode ID: becbff43b94e2574c661a1fd6be0a1c1fb501e920e49a3e851ff127d80a12a23
                                                                                    • Instruction ID: 2e1e526739867e50670bceb89507c71339c1b21d6ee211b494412a744f46fea4
                                                                                    • Opcode Fuzzy Hash: becbff43b94e2574c661a1fd6be0a1c1fb501e920e49a3e851ff127d80a12a23
                                                                                    • Instruction Fuzzy Hash: 3DB13C71A04104AFDB10DFA9D885B9E7BF8AF09306F1440A6F804E7362DB38DD49CB69
                                                                                    Function 00450A28 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2863 450a28-450a4d 2864 450b20-450b44 call 403420 2863->2864 2865 450a53-450a60 GetVersion 2863->2865 2865->2864 2867 450a66-450aa0 call 4509f8 call 42c88c call 40357c call 403738 LoadLibraryA 2865->2867 2867->2864 2877 450aa2-450b1b GetProcAddress * 6 2867->2877 2877->2864
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A53
                                                                                      • Part of subcall function 004509F8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00450A10
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,00450B45,?,?,?,?,00000000,00000000,?,00482E33), ref: 00450A8F
                                                                                    • GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00450AAD
                                                                                    • GetProcAddress.KERNEL32(00000000,RmRegisterResources), ref: 00450AC2
                                                                                    • GetProcAddress.KERNEL32(00000000,RmGetList), ref: 00450AD7
                                                                                    • GetProcAddress.KERNEL32(00000000,RmShutdown), ref: 00450AEC
                                                                                    • GetProcAddress.KERNEL32(00000000,RmRestart), ref: 00450B01
                                                                                    • GetProcAddress.KERNEL32(00000000,RmEndSession), ref: 00450B16
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                                                    • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                    • API String ID: 2754715182-3419246398
                                                                                    • Opcode ID: e4e1835a9be9cc26529bcec95a28a820a148bf5403511da9b7c87cb3fd4541b1
                                                                                    • Instruction ID: 2841e6775defb51719e30d1654eee8915289afef741f041a49b247766738df14
                                                                                    • Opcode Fuzzy Hash: e4e1835a9be9cc26529bcec95a28a820a148bf5403511da9b7c87cb3fd4541b1
                                                                                    • Instruction Fuzzy Hash: 8F212EB4510204BFE710FBE2DC86B6E77E8E714759F540537B840A71A2E678A949CB1C
                                                                                    Function 0042409C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 3186 42409c-4240d0 3187 4240d2-4240d3 3186->3187 3188 424104-42411b call 423ff8 3186->3188 3190 4240d5-4240f1 call 40b6dc 3187->3190 3193 42417c-424181 3188->3193 3194 42411d 3188->3194 3223 4240f3-4240fb 3190->3223 3224 424100-424102 3190->3224 3196 424183 3193->3196 3197 4241b7-4241bc 3193->3197 3198 424123-424126 3194->3198 3199 4241e0-4241f0 3194->3199 3200 424441-424449 3196->3200 3201 424189-424191 3196->3201 3204 4241c2-4241c5 3197->3204 3205 42452a-424538 IsIconic 3197->3205 3202 424155-424158 3198->3202 3203 424128 3198->3203 3206 4241f2-4241f7 3199->3206 3207 4241fb-424203 call 424624 3199->3207 3212 4245e2-4245ea 3200->3212 3218 42444f-42445a call 418670 3200->3218 3210 4243a3-4243ca SendMessageA 3201->3210 3211 424197-42419c 3201->3211 3219 424239-424240 3202->3219 3220 42415e-42415f 3202->3220 3214 424286-424296 call 424014 3203->3214 3215 42412e-424131 3203->3215 3216 424566-42457b call 424ce0 3204->3216 3217 4241cb-4241cc 3204->3217 3205->3212 3213 42453e-424549 GetFocus 3205->3213 3221 424208-424210 call 42466c 3206->3221 3222 4241f9-42421c call 424014 3206->3222 3207->3212 3210->3212 3225 4241a2-4241a3 3211->3225 3226 4244da-4244e5 3211->3226 3227 424601-424607 3212->3227 3213->3212 3234 42454f-424558 call 41f484 3213->3234 3214->3212 3235 424137-42413a 3215->3235 3236 4242ae-4242c4 PostMessageA call 424014 3215->3236 3216->3212 3229 4241d2-4241d5 3217->3229 3230 42457d-424584 3217->3230 3218->3212 3279 424460-42446f call 418670 IsWindowEnabled 3218->3279 3219->3212 3239 424246-42424d 3219->3239 3240 424165-424168 3220->3240 3241 4243cf-4243d6 3220->3241 3221->3212 3222->3212 3223->3227 3224->3188 3224->3190 3242 424502-42450d 3225->3242 3243 4241a9-4241ac 3225->3243 3226->3212 3245 4244eb-4244fd 3226->3245 3246 4245b0-4245b7 3229->3246 3247 4241db 3229->3247 3256 424586-424599 call 424964 3230->3256 3257 42459b-4245ae call 4249bc 3230->3257 3234->3212 3294 42455e-424564 SetFocus 3234->3294 3253 424140-424143 3235->3253 3254 424335-42433c 3235->3254 3269 4242c9-4242ca 3236->3269 3239->3212 3259 424253-424259 3239->3259 3260 42416e-424171 3240->3260 3261 4242cf-4242ef call 424014 3240->3261 3241->3212 3249 4243dc-4243e1 call 404e54 3241->3249 3242->3212 3268 424513-424525 3242->3268 3265 4241b2 3243->3265 3266 4243e6-4243ee 3243->3266 3245->3212 3263 4245ca-4245d9 3246->3263 3264 4245b9-4245c8 3246->3264 3267 4245db-4245dc call 424014 3247->3267 3249->3212 3274 424149-42414a 3253->3274 3275 42425e-42426c IsIconic 3253->3275 3276 42433e-424351 call 423fa4 3254->3276 3277 42436f-424380 call 424014 3254->3277 3256->3212 3257->3212 3259->3212 3280 424177 3260->3280 3281 42429b-4242a9 call 424608 3260->3281 3307 424313-424330 call 423f14 PostMessageA 3261->3307 3308 4242f1-42430e call 423fa4 PostMessageA 3261->3308 3263->3212 3264->3212 3265->3267 3266->3212 3292 4243f4-4243fb 3266->3292 3303 4245e1 3267->3303 3268->3212 3269->3212 3295 424150 3274->3295 3296 424221-424229 3274->3296 3285 42427a-424281 call 424014 3275->3285 3286 42426e-424275 call 424050 3275->3286 3320 424363-42436a call 424014 3276->3320 3321 424353-42435d call 41f3e8 3276->3321 3314 424382-424388 call 41f334 3277->3314 3315 424396-42439e call 423f14 3277->3315 3279->3212 3311 424475-424484 call 418670 IsWindowVisible 3279->3311 3280->3267 3281->3212 3285->3212 3286->3212 3292->3212 3306 424401-424410 call 418670 IsWindowEnabled 3292->3306 3294->3212 3295->3267 3296->3212 3309 42422f-424234 call 4230dc 3296->3309 3303->3212 3306->3212 3336 424416-42442c call 4127a0 3306->3336 3307->3212 3308->3212 3309->3212 3311->3212 3337 42448a-4244d5 GetFocus call 418670 SetFocus call 4156d0 SetFocus 3311->3337 3334 42438d-424390 3314->3334 3315->3212 3320->3212 3321->3320 3334->3315 3336->3212 3342 424432-42443c 3336->3342 3337->3212 3342->3212
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7a5d1be347ef4cd5275f3ba2e219eacedcf17009f3a645b5836368762c95c774
                                                                                    • Instruction ID: 825bfe9503c2e42b9fb69ea357955289e6132b3f8b751ff356745ab72a8b0ef1
                                                                                    • Opcode Fuzzy Hash: 7a5d1be347ef4cd5275f3ba2e219eacedcf17009f3a645b5836368762c95c774
                                                                                    • Instruction Fuzzy Hash: F0E18C34700124EFD710DB69E585A5EB7B4FB88304FA440A6FA85EB356C738EE81DB19
                                                                                    Function 00422CEC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 3345 422cec-422cfd 3346 422d21-422d40 3345->3346 3347 422cff-422d09 3345->3347 3348 423036-42304d 3346->3348 3349 422d46-422d50 3346->3349 3347->3346 3350 422d0b-422d1c call 40914c call 40311c 3347->3350 3351 422f31-422f77 call 402c00 3349->3351 3352 422d56-422d9b call 402c00 3349->3352 3350->3346 3362 422f83-422f8d 3351->3362 3363 422f79-422f7e call 4222bc 3351->3363 3364 422da1-422dab 3352->3364 3365 422e3f-422e53 3352->3365 3367 422f8f-422f97 call 416b40 3362->3367 3368 422f9c-422fa6 3362->3368 3363->3362 3369 422de7-422dfb call 423638 3364->3369 3370 422dad-422dc4 call 414b4c 3364->3370 3371 422e59-422e63 3365->3371 3372 422f0c-422f2c call 418670 ShowWindow 3365->3372 3367->3348 3375 422fc7-422fda call 418670 GetActiveWindow 3368->3375 3376 422fa8-422fc5 call 418670 SetWindowPos 3368->3376 3390 422e00-422e14 call 423630 3369->3390 3391 422dfd 3369->3391 3393 422dc6 3370->3393 3394 422dc9-422de0 call 414b90 3370->3394 3378 422e65-422e99 call 418670 SendMessageA call 418670 ShowWindow 3371->3378 3379 422e9b-422ee5 call 418670 ShowWindow call 418670 CallWindowProcA call 415154 3371->3379 3372->3348 3401 422fdc-422fec call 418670 IsIconic 3375->3401 3402 422ffd-422fff 3375->3402 3376->3348 3411 422eea-422f07 SendMessageA 3378->3411 3379->3411 3412 422e16 3390->3412 3413 422e19-422e1b 3390->3413 3391->3390 3393->3394 3394->3413 3417 422de2-422de5 3394->3417 3401->3402 3418 422fee-422ffb call 418670 call 41f484 3401->3418 3406 423001-423024 call 418670 SetWindowPos SetActiveWindow 3402->3406 3407 423026-423031 call 418670 ShowWindow 3402->3407 3406->3348 3407->3348 3411->3348 3412->3413 3419 422e1f-422e21 3413->3419 3420 422e1d 3413->3420 3417->3413 3418->3402 3424 422e23 3419->3424 3425 422e25-422e3a 3419->3425 3420->3419 3424->3425 3425->3365
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422E84
                                                                                    • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042304E), ref: 00422E94
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1631623395-0
                                                                                    • Opcode ID: dd6b111e123643712c12eb43ad0bd18388838309a24d3fb99b22d682eaa30e2a
                                                                                    • Instruction ID: 26a98208f56e96a8b9863cf96f01cb8393c818091eec428a2aa80c5483449fd4
                                                                                    • Opcode Fuzzy Hash: dd6b111e123643712c12eb43ad0bd18388838309a24d3fb99b22d682eaa30e2a
                                                                                    • Instruction Fuzzy Hash: 82915270B04254EFD711DFA9DA86F9E77F4AB04304F5600BAF504AB392C779AE40AB58
                                                                                    Function 004688B8 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1679windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004988F0: MulDiv.KERNEL32(?,?,00000006), ref: 00498967
                                                                                      • Part of subcall function 004988F0: MulDiv.KERNEL32(?,?,0000000D), ref: 0049897C
                                                                                      • Part of subcall function 00498738: GetWindowRect.USER32(00000000), ref: 0049874E
                                                                                    • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00468CC8
                                                                                      • Part of subcall function 00467FCC: KiUserCallbackDispatcher.NTDLL(?,?,?,?,00468D7C,00000000,00000000,00000000,0000000C,00000000,00000000,0046A02D), ref: 00467FE4
                                                                                      • Part of subcall function 004989BC: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 004989C6
                                                                                      • Part of subcall function 0042F1C8: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F224
                                                                                      • Part of subcall function 0042F1C8: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F241
                                                                                      • Part of subcall function 00498688: GetDC.USER32(00000000), ref: 004986AA
                                                                                      • Part of subcall function 00498688: SelectObject.GDI32(?,00000000), ref: 004986D0
                                                                                      • Part of subcall function 00498688: ReleaseDC.USER32(00000000,?), ref: 00498721
                                                                                      • Part of subcall function 004989AC: MulDiv.KERNEL32(0000004B,?,00000006), ref: 004989B6
                                                                                    • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 0046996B
                                                                                    • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046997C
                                                                                    • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00469994
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Append$AddressAutoBitmapCallbackCompleteDispatcherLoadObjectProcRectReleaseSelectSystemUserWindow
                                                                                    • String ID: $(Default)$STOPIMAGE
                                                                                    • API String ID: 3744962282-770201673
                                                                                    • Opcode ID: 8946f81524f9d19275f7abce38fb92794786ad1c9579238aa5d491563488633e
                                                                                    • Instruction ID: f09852cb7729e2bbd5cbdd1f7d0006831e648923f53a2056fc505b03d658ebd5
                                                                                    • Opcode Fuzzy Hash: 8946f81524f9d19275f7abce38fb92794786ad1c9579238aa5d491563488633e
                                                                                    • Instruction Fuzzy Hash: E5F2C7386005148FCB00EB69D8D9F9977F5BF89304F1542BAE5049B36AD778AC4ACB4A
                                                                                    Function 0045663C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,0045677B), ref: 0045666C
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00456672
                                                                                    • GetDiskFreeSpaceExA.KERNELBASE(00000000,?,?,00000000,00000000,00456759,?,00000000,kernel32.dll,GetDiskFreeSpaceExA,00000000,0045677B), ref: 004566C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressDiskFreeHandleModuleProcSpace
                                                                                    • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                    • API String ID: 1197914913-3712701948
                                                                                    • Opcode ID: 447f35e336ea0be904eb07cf60a2c864690941daeb470e2583af50a99dd07ffa
                                                                                    • Instruction ID: b3c638b06f07771193fa82c07f29861e578aec67d60b7d75356f70af58752f0b
                                                                                    • Opcode Fuzzy Hash: 447f35e336ea0be904eb07cf60a2c864690941daeb470e2583af50a99dd07ffa
                                                                                    • Instruction Fuzzy Hash: 84418271A00249AFCF01EFA5C8829EEB7B8EF4C305F51456AF804F7252D6785E098B68
                                                                                    Function 00476F44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00476F9D
                                                                                    • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 0047707A
                                                                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004770AE,?,?,0049F1E4,00000000), ref: 00477088
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                    • String ID: unins$unins???.*
                                                                                    • API String ID: 3541575487-1009660736
                                                                                    • Opcode ID: 1dcdef4b6496a0c6079eae1b6a03b6fa42dc3ae19ad99367f231285c9fd42f0e
                                                                                    • Instruction ID: b3651197dbd027c67a28626735fb33018e03d09d0edc3c1e02fba50c739ea7b0
                                                                                    • Opcode Fuzzy Hash: 1dcdef4b6496a0c6079eae1b6a03b6fa42dc3ae19ad99367f231285c9fd42f0e
                                                                                    • Instruction Fuzzy Hash: C6313E70A04148AFCB10EB65CD81ADEB7BDEB45344F91C0F6A40CA72A2DB79DF458B58
                                                                                    Function 00453238 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 00453275
                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,0045329B,?,?,-00000001,00000000), ref: 0045327D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileFindFirstLast
                                                                                    • String ID:
                                                                                    • API String ID: 873889042-0
                                                                                    • Opcode ID: e063f3102ba3d49e2d0a23883331eac165e5b7c253392f7bbfe801deb66ef461
                                                                                    • Instruction ID: 01611b9c15ef78b160da910fd5818d9ac2674b067f1b6166a22c9a12ef003207
                                                                                    • Opcode Fuzzy Hash: e063f3102ba3d49e2d0a23883331eac165e5b7c253392f7bbfe801deb66ef461
                                                                                    • Instruction Fuzzy Hash: CAF02D72A04704AB8B10DF76AC0149EF7BCEB8637672046BBFC14E3692DB794F058558
                                                                                    Function 004089F8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale
                                                                                    • String ID:
                                                                                    • API String ID: 2299586839-0
                                                                                    • Opcode ID: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
                                                                                    • Instruction ID: 256e1aeba2a9af0ec73989512e647111dc5dc60b4a8a7c740aeb84942aea65fa
                                                                                    • Opcode Fuzzy Hash: 6517a6df1027816fea4addc753f432335232e8d46b8be6dc802d5a2abbf08fa6
                                                                                    • Instruction Fuzzy Hash: 61E0683170021457C311A91A8C82AFBB34CDB18354F40427FBD44E73C2EDB89E4146EC
                                                                                    Function 00424014 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245E1,?,00000000,004245EC), ref: 0042403E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
                                                                                    • Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
                                                                                    • Opcode Fuzzy Hash: 3c6509642d3bb9f27e5e83e23d7c94f2c76b3e04732c449b11ab7c6176b5423f
                                                                                    • Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94
                                                                                    Function 00455DCC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: NameUser
                                                                                    • String ID:
                                                                                    • API String ID: 2645101109-0
                                                                                    • Opcode ID: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
                                                                                    • Instruction ID: 85d927fa64bde7e0f6bd0e56391a747b52e91616c2131cbf33e1fd207173554c
                                                                                    • Opcode Fuzzy Hash: 065d5d2aa7b724ed6289c5adcb70c30f8e9a1dde2e28f2192dd81213443c68fe
                                                                                    • Instruction Fuzzy Hash: 91D0C2B230460063C700BA68DC825AA358D8B84305F00483E7CC5DA2C3EABDDA4C5696
                                                                                    Function 0042FA00 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042FA1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
                                                                                    • Instruction ID: e991843b48109e052d0f5957ab47f1130dd67dcde68d8ed9d112e108350b7662
                                                                                    • Opcode Fuzzy Hash: 9c092c28255bcc30e80686d9f5dffef4909b4cfadbe587d4d40091b81cadcf9b
                                                                                    • Instruction Fuzzy Hash: 02D05E7131010C6B9B00DE98E840C6B33AC9B88700BA08829F908C7201C634ED1097A8
                                                                                    Function 00470798 Relevance: 81.0, APIs: 1, Strings: 45, Instructions: 529registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 933 470798-4707ca 934 4707e7 933->934 935 4707cc-4707d3 933->935 938 4707ee-470830 call 403634 call 4585a0 call 403738 call 42e350 934->938 936 4707d5-4707dc 935->936 937 4707de-4707e5 935->937 936->934 936->937 937->938 947 470832-470846 call 403738 call 42e350 938->947 948 47084b-4708a5 call 453dac call 4587ac call 403738 call 42e274 938->948 947->948 960 4708a7-4708b0 call 470468 948->960 961 4708b5-4708e8 call 4585a0 call 470584 948->961 960->961 967 4708fa-4708fd call 403400 961->967 968 4708ea-4708f8 call 403494 961->968 972 470902-47094d call 470584 call 42c88c call 4705cc call 470584 967->972 968->972 981 470963-470984 call 455dcc call 470584 972->981 982 47094f-470962 call 4705f4 972->982 989 470986-4709d9 call 470584 call 4318f4 call 470584 call 4318f4 call 470584 981->989 990 4709da-4709e1 981->990 982->981 989->990 991 4709e3-470a20 call 4318f4 call 470584 call 4318f4 call 470584 990->991 992 470a21-470a28 990->992 991->992 996 470a2a-470a68 call 470584 * 3 992->996 997 470a69-470a8e call 40b6dc call 470584 992->997 996->997 1017 470a90-470a9b call 47e4a8 997->1017 1018 470a9d-470aa6 call 403494 997->1018 1024 470aab-470ab6 call 47af78 1017->1024 1018->1024 1031 470abf 1024->1031 1032 470ab8-470abd 1024->1032 1033 470ac4-470c8e call 403778 call 470584 call 47e4a8 call 4705cc call 403494 call 40357c * 2 call 470584 call 403494 call 40357c * 2 call 470584 call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 call 4705cc call 47e4a8 1031->1033 1032->1033 1096 470ca4-470cb2 call 4705f4 1033->1096 1097 470c90-470ca2 call 470584 1033->1097 1101 470cb7 1096->1101 1102 470cb8-470d01 call 4705f4 call 470628 call 470584 call 47e4a8 call 47068c 1097->1102 1101->1102 1113 470d03-470d4a call 4705f4 * 4 1102->1113 1114 470d4b-470d58 1102->1114 1113->1114 1116 470e27-470e2e 1114->1116 1117 470d5e-470d65 1114->1117 1121 470e30-470e66 call 497b58 1116->1121 1122 470e88-470e9e RegCloseKey 1116->1122 1118 470d67-470d6e 1117->1118 1119 470dd2-470de1 1117->1119 1118->1119 1123 470d70-470d94 call 4310ac 1118->1123 1126 470de4-470df1 1119->1126 1121->1122 1123->1126 1137 470d96-470d97 1123->1137 1127 470df3-470e00 1126->1127 1128 470e08-470e21 call 4310e8 call 4705f4 1126->1128 1127->1128 1132 470e02-470e06 1127->1132 1142 470e26 1128->1142 1132->1116 1132->1128 1140 470d99-470dbf call 40b6dc call 47b7d4 1137->1140 1148 470dc1-470dc7 call 4310ac 1140->1148 1149 470dcc-470dce 1140->1149 1142->1116 1148->1149 1149->1140 1151 470dd0 1149->1151 1151->1126
                                                                                    APIs
                                                                                      • Part of subcall function 00470584: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,0049F1E4,?,004708E0,?,00000000,00470E9F,?,_is1), ref: 004705A7
                                                                                    • RegCloseKey.ADVAPI32(?,00470EA6,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00470EF1,?,?,0049F1E4,00000000), ref: 00470E99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseValue
                                                                                    • String ID: " /SILENT$5.6.1 (a)$Comments$Contact$Creating new uninstall key: %s\%s$Deleting any uninstall keys left over from previous installs$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$Writing uninstall key values.$_is1
                                                                                    • API String ID: 3132538880-2016618693
                                                                                    • Opcode ID: 91bb0532aa98dc70dbac6aadccd43ce0d571d9b3152902844de461d2061401bf
                                                                                    • Instruction ID: 6798738c776f755904db97d76c4cdf83817ddf359efdfbfe393e220e71fc5506
                                                                                    • Opcode Fuzzy Hash: 91bb0532aa98dc70dbac6aadccd43ce0d571d9b3152902844de461d2061401bf
                                                                                    • Instruction Fuzzy Hash: EE226634A01148EFDB14DB59E881ADE73B5EB44304F60C57BF808AB3A5DB78AE45CB58
                                                                                    Function 00475308 Relevance: 56.7, APIs: 9, Strings: 23, Instructions: 667registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1996 475308-47533b 1997 475341-475345 1996->1997 1998 475b80-475bb4 call 46fc04 call 403400 * 2 call 403420 1996->1998 2000 47534c-475389 call 40b6dc call 47b7d4 1997->2000 2009 475b74-475b7a 2000->2009 2010 47538f-475403 call 4803ec call 47b418 call 4585a0 call 47e4a8 call 453dac call 4587ac call 47e4a8 2000->2010 2009->1998 2009->2000 2028 475405-475419 call 4587ac 2010->2028 2029 47541e-47542d 2010->2029 2028->2029 2031 475443-47544a 2029->2031 2032 47542f-475433 2029->2032 2034 475473-47548e 2031->2034 2035 47544c-475453 2031->2035 2032->2031 2033 475435-47543f call 4585a0 2032->2033 2033->2031 2036 475490-47549a call 475154 2034->2036 2037 4754cc-4754d3 2034->2037 2039 475455-47545a call 453b40 2035->2039 2040 47545f-475463 2035->2040 2055 4754c2-4754c7 call 4585a0 2036->2055 2056 47549c-4754c0 call 4585a0 call 403738 call 42e350 2036->2056 2041 4754f5-4754fc 2037->2041 2042 4754d5-4754dc 2037->2042 2039->2040 2040->2034 2046 475465-47546f call 4585a0 2040->2046 2050 47556e-475579 2041->2050 2051 4754fe-475505 2041->2051 2042->2041 2048 4754de-4754e0 2042->2048 2046->2034 2053 475a47-475a87 2048->2053 2054 4754e6-4754f0 call 4585a0 2048->2054 2057 475590-475597 2050->2057 2058 47557b-47558b call 475178 2050->2058 2051->2050 2059 475507-475529 call 403738 call 42e2ac 2051->2059 2053->2034 2068 475a8d-475a94 2053->2068 2054->2053 2055->2037 2056->2037 2065 475633-47563a 2057->2065 2066 47559d-4755d5 call 4585a0 call 403738 call 42e274 2057->2066 2058->2057 2096 47555f-475569 call 4585a0 2059->2096 2097 47552b-47555a call 4585a0 call 403738 RegDeleteValueA RegCloseKey call 4585a0 2059->2097 2073 47568d-475697 call 4585a0 2065->2073 2074 47563c-475661 call 4585a0 call 403738 call 42e2ac 2065->2074 2121 475617-47561e 2066->2121 2122 4755d7-4755db 2066->2122 2075 475ac7-475ace 2068->2075 2076 475a96-475aa0 call 475154 2068->2076 2098 47569c-47569e 2073->2098 2123 475666-47566a 2074->2123 2084 475b01-475b08 2075->2084 2085 475ad0-475ada call 475154 2075->2085 2076->2075 2105 475aa2-475ac2 call 45ac44 2076->2105 2091 475b35-475b3c 2084->2091 2092 475b0a-475b30 call 45ac44 2084->2092 2085->2084 2117 475adc-475afc call 45ac44 2085->2117 2102 475b3e-475b64 call 45ac44 2091->2102 2103 475b69-475b6f call 47b45c 2091->2103 2092->2091 2096->2053 2097->2053 2098->2053 2109 4756a4-4756b9 2098->2109 2102->2103 2103->2009 2105->2075 2119 4756d7-4756de 2109->2119 2120 4756bb-4756d2 call 4585a0 call 403738 RegDeleteValueA 2109->2120 2117->2084 2124 4756e4-4756eb 2119->2124 2125 475a0a-475a11 2119->2125 2120->2119 2121->2098 2135 475620-475631 call 470468 2121->2135 2122->2098 2131 4755e1-4755e9 2122->2131 2123->2098 2132 47566c-47566f 2123->2132 2133 475707-47571e call 4585a0 2124->2133 2134 4756ed-475701 call 403738 call 42e1f4 2124->2134 2136 475a13-475a1d call 4585a0 2125->2136 2137 475a1f-475a24 call 4585a0 2125->2137 2131->2098 2141 4755ef-475612 call 4585a0 call 475178 2131->2141 2132->2098 2142 475671-475678 2132->2142 2159 475724 2133->2159 2160 4759fe-475a08 call 4585a0 2133->2160 2134->2125 2134->2133 2135->2098 2147 475a29-475a3f RegCloseKey 2136->2147 2137->2147 2141->2098 2142->2098 2151 47567a-47568b call 470468 2142->2151 2151->2098 2159->2160 2165 475747-475751 2159->2165 2166 4759b0-4759e2 call 403574 call 403738 * 2 RegSetValueExA 2159->2166 2167 47594b-475966 call 47e4a8 call 431138 2159->2167 2168 4758e9-475922 call 47e4a8 call 407228 call 403738 RegSetValueExA 2159->2168 2160->2147 2173 475753-475756 2165->2173 2174 47575a-47575f 2165->2174 2166->2160 2207 4759e4-4759eb 2166->2207 2193 475972-475992 call 403738 RegSetValueExA 2167->2193 2194 475968-47596d call 453b40 2167->2194 2168->2160 2211 475928-47592f 2168->2211 2176 475761 2173->2176 2177 475758 2173->2177 2180 475766-475768 2174->2180 2176->2180 2177->2180 2184 475805-475817 call 40385c 2180->2184 2185 47576e-475780 call 40385c 2180->2185 2203 475832-475835 call 403400 2184->2203 2204 475819-475830 call 403738 call 42e1e8 2184->2204 2200 475782-475799 call 403738 call 42e1dc 2185->2200 2201 47579b-47579e call 403400 2185->2201 2193->2160 2216 475994-47599b 2193->2216 2194->2193 2200->2201 2219 4757a3-4757aa 2200->2219 2201->2219 2213 47583a-475873 call 47e4cc 2203->2213 2204->2203 2204->2213 2207->2160 2214 4759ed-4759f9 call 470468 2207->2214 2211->2160 2218 475935-475946 call 470468 2211->2218 2236 475875-475885 call 403574 2213->2236 2237 475894-4758c0 call 403574 call 403738 * 2 RegSetValueExA 2213->2237 2214->2160 2216->2160 2223 47599d-4759ae call 470468 2216->2223 2218->2160 2226 4757ac-4757ca call 403738 RegQueryValueExA 2219->2226 2227 4757db-475800 call 47e4cc 2219->2227 2223->2160 2226->2227 2240 4757cc-4757d0 2226->2240 2227->2237 2236->2237 2247 475887-47588f call 40357c 2236->2247 2237->2160 2253 4758c6-4758cd 2237->2253 2243 4757d2-4757d6 2240->2243 2244 4757d8 2240->2244 2243->2227 2243->2244 2244->2227 2247->2237 2253->2160 2254 4758d3-4758e4 call 470468 2253->2254 2254->2160
                                                                                    APIs
                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00475A51,?,?,?,?,00000000,00475BB5,?,?,0049F1E4), ref: 00475542
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00475A51,?,?,?,?,00000000,00475BB5), ref: 0047554B
                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00475A40,?,00000000,00475A51,?,?,?,?,00000000,00475BB5,?,?,0049F1E4), ref: 004756D2
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteValue$CloseOpen
                                                                                    • String ID: -- Registry entry --$Cannot access 64-bit registry keys on this version of Windows$Creating or opening the key.$Creating or setting the value.$Deleting the key.$Deleting the value.$Failed to parse "qword" value$Key of value to delete does not exist.$Key to delete is not deletable.$Key: %s\%s$New key created, need to set permissions again.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Not creating the key or a value, skipping the key and only updating uninstall log.$Opening the key.$Successfully created or set the value.$Successfully created the key.$Successfully deleted the key.$Successfully deleted the value.$Value name: %s$break$olddata${olddata}
                                                                                    • API String ID: 1772201698-1863323878
                                                                                    • Opcode ID: 5ef44ae8b2468c5572bfebc8ea878adcfb26068152b675f2b442ba75bde81d3d
                                                                                    • Instruction ID: 9411f3bb0f5695d7ce1bd5c048a7148ae9b3a15eab8c6388bf4352628dc1df34
                                                                                    • Opcode Fuzzy Hash: 5ef44ae8b2468c5572bfebc8ea878adcfb26068152b675f2b442ba75bde81d3d
                                                                                    • Instruction Fuzzy Hash: 3A423174E006489FDB14DBA9C481BDEB7F4AF08304F54816AF908AF3A2DB789D45CB59
                                                                                    Function 004063FC Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 182libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
                                                                                    • GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
                                                                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B
                                                                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406680
                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406696
                                                                                    • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 004066A1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                                                    • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                    • API String ID: 3297890031-1119018034
                                                                                    • Opcode ID: 2c56b33dd224f24940b22a135b2d6f6ee028c26b19cb0cb345135bf18bc139ab
                                                                                    • Instruction ID: 7e21cf5f117f2e3abcec30b6674fd8076a5a40f26409e7412662737288cf0c05
                                                                                    • Opcode Fuzzy Hash: 2c56b33dd224f24940b22a135b2d6f6ee028c26b19cb0cb345135bf18bc139ab
                                                                                    • Instruction Fuzzy Hash: 5C612030A00009EBDB01FBAAD982D8D7BB89B45749B214077A405772F6DB3CEF199B5D
                                                                                    Function 00485E3C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 72libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2878 485e3c-485e61 GetModuleHandleA GetProcAddress 2879 485ec8-485ecd GetSystemInfo 2878->2879 2880 485e63-485e79 GetNativeSystemInfo GetProcAddress 2878->2880 2882 485ed2-485edb 2879->2882 2881 485e7b-485e86 GetCurrentProcess 2880->2881 2880->2882 2881->2882 2891 485e88-485e8c 2881->2891 2883 485edd-485ee1 2882->2883 2884 485ef1-485ef8 2882->2884 2885 485efa-485f01 2883->2885 2886 485ee3-485ee7 2883->2886 2887 485f1c-485f21 2884->2887 2885->2887 2889 485ee9-485eed 2886->2889 2890 485f03-485f0a 2886->2890 2892 485f0c-485f13 2889->2892 2893 485eef-485f15 2889->2893 2890->2887 2891->2882 2894 485e8e-485e95 call 452ef4 2891->2894 2892->2887 2893->2887 2894->2882 2898 485e97-485ea4 GetProcAddress 2894->2898 2898->2882 2899 485ea6-485ebd GetModuleHandleA GetProcAddress 2898->2899 2899->2882 2900 485ebf-485ec6 2899->2900 2900->2882
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
                                                                                    • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
                                                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6
                                                                                    • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485ECD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                    • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                    • API String ID: 2230631259-2623177817
                                                                                    • Opcode ID: 1972131867bb0072eec6dd8a19814603b528df427e9a9e8a7c1b726c65bdcdb7
                                                                                    • Instruction ID: 52726a1ce108b2e1205f78178c8bd3673f5dc6952592f7a0a7a67ab458256f91
                                                                                    • Opcode Fuzzy Hash: 1972131867bb0072eec6dd8a19814603b528df427e9a9e8a7c1b726c65bdcdb7
                                                                                    • Instruction Fuzzy Hash: FD118465148F8195DE1273794C8A77F2A888B10718F2C0C3B7B847A6D2DBBC8D85972F
                                                                                    Function 0046A2F8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2901 46a2f8-46a330 call 47e4a8 2904 46a336-46a346 call 47af98 2901->2904 2905 46a512-46a52c call 403420 2901->2905 2910 46a34b-46a390 call 407d84 call 403738 call 42e2ac 2904->2910 2916 46a395-46a397 2910->2916 2917 46a39d-46a3b2 2916->2917 2918 46a508-46a50c 2916->2918 2919 46a3c7-46a3ce 2917->2919 2920 46a3b4-46a3c2 call 42e1dc 2917->2920 2918->2905 2918->2910 2922 46a3d0-46a3f2 call 42e1dc call 42e1f4 2919->2922 2923 46a3fb-46a402 2919->2923 2920->2919 2922->2923 2940 46a3f4 2922->2940 2924 46a404-46a429 call 42e1dc * 2 2923->2924 2925 46a45b-46a462 2923->2925 2947 46a42b-46a434 call 4319e8 2924->2947 2948 46a439-46a44b call 42e1dc 2924->2948 2927 46a464-46a476 call 42e1dc 2925->2927 2928 46a4a8-46a4af 2925->2928 2941 46a486-46a498 call 42e1dc 2927->2941 2942 46a478-46a481 call 4319e8 2927->2942 2933 46a4b1-46a4e5 call 42e1dc * 3 2928->2933 2934 46a4ea-46a500 RegCloseKey 2928->2934 2933->2934 2940->2923 2941->2928 2955 46a49a-46a4a3 call 4319e8 2941->2955 2942->2941 2947->2948 2948->2925 2958 46a44d-46a456 call 4319e8 2948->2958 2955->2928 2958->2925
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(?,0046A512,?,?,00000001,00000000,00000000,0046A52D,?,00000000,00000000,?), ref: 0046A4FB
                                                                                    Strings
                                                                                    • Inno Setup: User Info: Serial, xrefs: 0046A4DD
                                                                                    • Inno Setup: Setup Type, xrefs: 0046A40A
                                                                                    • Inno Setup: Deselected Components, xrefs: 0046A43C
                                                                                    • %s\%s_is1, xrefs: 0046A375
                                                                                    • Inno Setup: Deselected Tasks, xrefs: 0046A489
                                                                                    • Inno Setup: User Info: Organization, xrefs: 0046A4CA
                                                                                    • Inno Setup: Icon Group, xrefs: 0046A3D6
                                                                                    • Inno Setup: No Icons, xrefs: 0046A3E3
                                                                                    • Inno Setup: User Info: Name, xrefs: 0046A4B7
                                                                                    • Inno Setup: Selected Tasks, xrefs: 0046A467
                                                                                    • Inno Setup: Selected Components, xrefs: 0046A41A
                                                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0046A357
                                                                                    • Inno Setup: App Path, xrefs: 0046A3BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                    • API String ID: 47109696-1093091907
                                                                                    • Opcode ID: c1938392e3a0433c6d958a6ca0a92a20a5f22fae7f190abf21f972c13a99c6b6
                                                                                    • Instruction ID: bc3733d3a6311be72aa26145a3a6b26ae63bc40f30ab818c77ebdc0ae002d22e
                                                                                    • Opcode Fuzzy Hash: c1938392e3a0433c6d958a6ca0a92a20a5f22fae7f190abf21f972c13a99c6b6
                                                                                    • Instruction Fuzzy Hash: 2F518170600A049FCB11DB65D952BEEB7B4EF49304F5084BAE841B7391E738AE15CF5A
                                                                                    Function 004744A8 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2960 4744a8-4745a4 call 403728 call 403778 call 403684 call 47e4a8 call 403494 * 2 call 40357c call 42cc94 call 403494 call 40357c call 42cc94 call 403494 call 40357c call 42cc94 * 2 2991 4745a6-4745a9 2960->2991 2992 4745ab-4745af 2960->2992 2993 4745b4-4745b8 2991->2993 2992->2993 2994 4745b1 2992->2994 2995 4745cb-4745d9 call 474178 2993->2995 2996 4745ba-4745c5 call 47af78 2993->2996 2994->2993 3001 4745db-4745e6 call 403494 2995->3001 3002 4745e8-4745ee call 403494 2995->3002 2996->2995 3003 4745c7 2996->3003 3007 4745f3-47464f call 4587ac call 46f82c call 42cd34 call 471340 call 4073e0 * 2 call 42d1b4 3001->3007 3002->3007 3003->2995 3022 474665-474683 call 4073e0 call 474358 call 4585a0 3007->3022 3023 474651-474660 call 403738 WritePrivateProfileStringA 3007->3023 3032 474736-474751 call 474214 call 403494 3022->3032 3033 474689-4746bb call 456e68 3022->3033 3023->3022 3045 474755-47476a call 4585a0 3032->3045 3036 4746c0-4746c4 3033->3036 3038 4746c6-4746d0 call 42d1d8 3036->3038 3039 4746d2-4746d4 3036->3039 3038->3039 3047 4746d6 3038->3047 3043 4746d8-4746df 3039->3043 3043->3045 3046 4746e1-4746e5 3043->3046 3052 474782-474791 call 403738 SHChangeNotify 3045->3052 3053 47476c-474780 call 403738 SHChangeNotify 3045->3053 3046->3045 3049 4746e7-474701 call 42cd8c call 406f54 3046->3049 3047->3043 3049->3045 3062 474703-474728 call 455cd8 3049->3062 3061 474796-4747bf call 42cd34 call 403738 SHChangeNotify 3052->3061 3053->3061 3069 4747c5-4747c9 3061->3069 3070 4748c3-4748f7 call 46fc04 call 403400 call 403420 call 403400 3061->3070 3062->3045 3071 4747cf-47485c call 45aa94 call 42c88c call 40357c call 45aa94 call 42c88c call 40357c call 45aa94 3069->3071 3072 47485e-474862 3069->3072 3071->3070 3074 474885-4748be call 45aa94 * 2 3072->3074 3075 474864-474883 call 45aa94 3072->3075 3074->3070 3075->3070
                                                                                    APIs
                                                                                      • Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8
                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00474660
                                                                                    • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0047477B
                                                                                    • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00474791
                                                                                    • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004747B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                    • String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
                                                                                    • API String ID: 971782779-2902529204
                                                                                    • Opcode ID: f73927e903be56657433e7d3d9cba183f1df57e9ace6fcdc87b2fc1e3d35b81f
                                                                                    • Instruction ID: 3ad2e39f7b63c2e1f507bff71cd9103ce15de2bb976d6045025a0d2193d98ff2
                                                                                    • Opcode Fuzzy Hash: f73927e903be56657433e7d3d9cba183f1df57e9ace6fcdc87b2fc1e3d35b81f
                                                                                    • Instruction Fuzzy Hash: A4D14574A00149AFDB01EFA9D581BEEBBF4AF48304F50806AF904B7391D7789D45CB69
                                                                                    Function 0047E8A8 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0042DD28: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,004545B0,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229), ref: 0042DD3B
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                      • Part of subcall function 0042DD80: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
                                                                                      • Part of subcall function 0042DD80: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0
                                                                                    • SHGetKnownFolderPath.SHELL32(0049CD48,00008000,00000000,?,00000000,0047EB7C), ref: 0047EA82
                                                                                    • CoTaskMemFree.OLE32(?,0047EAC5), ref: 0047EAB8
                                                                                      • Part of subcall function 0042D698: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DECE,00000000,0042DF60,?,?,?,0049E62C,00000000,00000000), ref: 0042D6C3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                    • API String ID: 3771764029-544719455
                                                                                    • Opcode ID: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
                                                                                    • Instruction ID: 78e7a351989074df20a48af568640fcf9ae091c764a67f88943fd453c39c20c9
                                                                                    • Opcode Fuzzy Hash: f8969b8c83ddcc016eba2be8046c2e4320b88b0f19ff27ae1324c962e61ddc41
                                                                                    • Instruction Fuzzy Hash: D4616034610104DFDB10EBA6D84269E7F69EB48319F60C6BBE404E7395C73CAE49CA9D
                                                                                    Function 0047F0B4 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 3540 47f0b4-47f106 call 42dd54 call 42c88c call 4035c0 call 452db0 3549 47f123-47f12a 3540->3549 3550 47f108-47f10f 3540->3550 3553 47f135-47f137 3549->3553 3554 47f12c-47f133 3549->3554 3551 47f111-47f118 3550->3551 3552 47f139 3550->3552 3551->3549 3555 47f11a-47f121 3551->3555 3556 47f13b-47f13d 3552->3556 3553->3556 3554->3552 3554->3553 3555->3549 3555->3552 3557 47f13f-47f164 call 42c88c call 4035c0 call 47ed78 3556->3557 3558 47f169-47f1af call 42dd54 call 42c88c call 40357c call 42e824 * 2 3556->3558 3557->3558 3574 47f1d6-47f1f0 GetProcAddress 3558->3574 3575 47f1b1-47f1d1 call 407d84 call 453b40 3558->3575 3576 47f1f2-47f1f7 call 453b40 3574->3576 3577 47f1fc-47f21e call 403420 call 403400 3574->3577 3575->3574 3576->3577
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0047F1E1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressDirectoryProcSystem
                                                                                    • String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                    • API String ID: 996212319-3422985891
                                                                                    • Opcode ID: e0e19d477fc0f17f48ff5dbd1f9f78e86f798bcff73fa04710ff4418a1379890
                                                                                    • Instruction ID: 162927b5a2cba69edd54960eab9b72e157ae6c4c2e5edd016ae03b58ced20ba2
                                                                                    • Opcode Fuzzy Hash: e0e19d477fc0f17f48ff5dbd1f9f78e86f798bcff73fa04710ff4418a1379890
                                                                                    • Instruction Fuzzy Hash: C1413034A0020ADFCB10EFA5D9819EEB7B5EF44309F90847BE518A7252D7389E09CB59
                                                                                    Function 0042FA40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 90windowregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 0042FA6F
                                                                                    • GetFocus.USER32 ref: 0042FA77
                                                                                    • RegisterClassA.USER32(0049C7AC), ref: 0042FA98
                                                                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042FB6C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042FAD6
                                                                                    • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042FB1C
                                                                                    • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FB2D
                                                                                    • SetFocus.USER32(00000000,00000000,0042FB4F,?,?,?,00000001,00000000,?,00458BE2,00000000,0049E62C), ref: 0042FB34
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                    • String ID: ,I$TWindowDisabler-Window
                                                                                    • API String ID: 3167913817-1404624659
                                                                                    • Opcode ID: 7bc8afc147b9f6d5f1ca6723a7c004efacc5d5b5070bad591d74333f7a3b595c
                                                                                    • Instruction ID: a62ceaa4fb40b7d97b276e036e96e71c03e0c95da72a7b9a05d0a528f526b251
                                                                                    • Opcode Fuzzy Hash: 7bc8afc147b9f6d5f1ca6723a7c004efacc5d5b5070bad591d74333f7a3b595c
                                                                                    • Instruction Fuzzy Hash: A9218171B80710BAE210EB66DD13F1A7AA4EB14B04FE1413BF604BB2D1D7B97D0586AD
                                                                                    Function 00401A90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0049E420,00000000,00401B68), ref: 00401ABD
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
                                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B58
                                                                                    • RtlDeleteCriticalSection.KERNEL32(0049E420,00401B6F), ref: 00401B62
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                    • String ID: @I$PI$|I
                                                                                    • API String ID: 3782394904-480730394
                                                                                    • Opcode ID: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
                                                                                    • Instruction ID: e11c9f51ffc8675c4dd52d411ec329e75971582e09b40c19516fbc4ecb4e7f79
                                                                                    • Opcode Fuzzy Hash: 27230fc28db66510afed4ac7e76b62a69bf1a257bd7dde38b68ece54281650c8
                                                                                    • Instruction Fuzzy Hash: 1E119D30B00340AAEB15EB67AC82B263BE49765708F44047BF40067AF2D67DA840876E
                                                                                    Function 00423D04 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041F854: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872
                                                                                    • GetClassInfoA.USER32(00400000,00423B0C), ref: 00423D2F
                                                                                    • RegisterClassA.USER32(0049C630), ref: 00423D47
                                                                                    • GetSystemMetrics.USER32(00000000), ref: 00423D69
                                                                                    • GetSystemMetrics.USER32(00000001), ref: 00423D78
                                                                                    • SetWindowLongA.USER32(004108F0,000000FC,00423B1C), ref: 00423DD4
                                                                                    • SendMessageA.USER32(004108F0,00000080,00000001,00000000), ref: 00423DF5
                                                                                    • GetSystemMenu.USER32(004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C,0041F234), ref: 00423E00
                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C,0041F234), ref: 00423E0F
                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423E1C
                                                                                    • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108F0,00000000,00000000,00400000,00000000,00000000,00000000), ref: 00423E32
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                    • String ID:
                                                                                    • API String ID: 183575631-0
                                                                                    • Opcode ID: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
                                                                                    • Instruction ID: 3c08988f126546789c3863b6090fce38962bc241f8b01a8198fec2671c318d21
                                                                                    • Opcode Fuzzy Hash: aeea6ed96da726cf0390846aab0a070c3404cae578d0716d11b5eb43d210982e
                                                                                    • Instruction Fuzzy Hash: B73173B17402506AEB10AF69EC82F6736989714709F60017BFA44EE2D7D6BDED00876D
                                                                                    Function 00483BEC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00483DA9
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00483DBD
                                                                                    • SendNotifyMessageA.USER32(00020434,00000496,00002710,00000000), ref: 00483E2F
                                                                                    Strings
                                                                                    • Restarting Windows., xrefs: 00483E0A
                                                                                    • DeinitializeSetup, xrefs: 00483CA5
                                                                                    • Deinitializing Setup., xrefs: 00483C0A
                                                                                    • Not restarting Windows because Setup is being run from the debugger., xrefs: 00483DDE
                                                                                    • GetCustomSetupExitCode, xrefs: 00483C49
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary$MessageNotifySend
                                                                                    • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                    • API String ID: 3817813901-1884538726
                                                                                    • Opcode ID: 99f6f5090eb2eb7830475b15b83d124a51ce2b61bfba8942407933063a6f0742
                                                                                    • Instruction ID: eabafc25287b198f6322efd67ece7b763d9c4378165dc3fe8608e6ffeb49dec3
                                                                                    • Opcode Fuzzy Hash: 99f6f5090eb2eb7830475b15b83d124a51ce2b61bfba8942407933063a6f0742
                                                                                    • Instruction Fuzzy Hash: 4451B030700240AFD710EF79D885B5E77E4EB29B09F50887BE800D72A1DB38AE49CB19
                                                                                    Function 00474358 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675,?,?,00000000,004748F8), ref: 0047437C
                                                                                      • Part of subcall function 0042D224: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042D29A
                                                                                      • Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000,?,00474675), ref: 004743F3
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00474419,?,?,?,00000008,00000000,00000000,00000000), ref: 004743F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                    • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                    • API String ID: 884541143-1710247218
                                                                                    • Opcode ID: 456d736adf8e49b8ca99d693e1c54b1e1f01cec6840b5336751946b70768f270
                                                                                    • Instruction ID: 4e84a14b44ef1bdc1f764160ca150a50166b9b0d2b2f0232ddeafb405eb560a8
                                                                                    • Opcode Fuzzy Hash: 456d736adf8e49b8ca99d693e1c54b1e1f01cec6840b5336751946b70768f270
                                                                                    • Instruction Fuzzy Hash: 2311C8307005147BD711E6659C82BAF73ADDB84758F60C17BF804A72C2DB3C9E02966D
                                                                                    Function 004539C8 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                    • API String ID: 1646373207-2130885113
                                                                                    • Opcode ID: 900bcb4114fb4c0984014630efc23af009e9f03ab7b8db2a3acde9aabfcbe191
                                                                                    • Instruction ID: 18891d3ceb8887e2f5320c13b89f4eae329e81661ad9de64afed935a1ef9114c
                                                                                    • Opcode Fuzzy Hash: 900bcb4114fb4c0984014630efc23af009e9f03ab7b8db2a3acde9aabfcbe191
                                                                                    • Instruction Fuzzy Hash: EA119130644255BEEB00EF72D802B5E77A8D74479AF60447BF88066292D67C9E4C8A2D
                                                                                    Function 00458954 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458B08,?, /s ",?,regsvr32.exe",?,00458B08), ref: 00458A7A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseDirectoryHandleSystem
                                                                                    • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                    • API String ID: 2051275411-1862435767
                                                                                    • Opcode ID: f686ff99c0215ae00bc2e8938070f966266e42d14554035475febd8d128da132
                                                                                    • Instruction ID: 80d87ab17c090028f18ddd9dc69d9a9522a7783b235ef4a64a7d04e5292bd67e
                                                                                    • Opcode Fuzzy Hash: f686ff99c0215ae00bc2e8938070f966266e42d14554035475febd8d128da132
                                                                                    • Instruction Fuzzy Hash: 8341E470E003486BDB11EF95C842B9DB7B9AF45305F50407FB904BB296DF78AE098B59
                                                                                    Function 00468610 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 004686B3
                                                                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004686D9
                                                                                      • Part of subcall function 0046854C: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 004685E7
                                                                                      • Part of subcall function 0046854C: DestroyCursor.USER32(00000000), ref: 004685FD
                                                                                    • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 00468730
                                                                                    • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00468791
                                                                                    • ExtractIconA.SHELL32(00400000,00000000,?), ref: 004687B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                    • String ID: c:\directory$shell32.dll
                                                                                    • API String ID: 3376378930-1375355148
                                                                                    • Opcode ID: 9050cd45e3efc5afce328fd7ee4ba76a3d8e95d1e89075f13d89f2ed96276e13
                                                                                    • Instruction ID: 811d36ee9d093b3b0276aa4c13663b10f9457e770bee0cd4c871c76846c3392c
                                                                                    • Opcode Fuzzy Hash: 9050cd45e3efc5afce328fd7ee4ba76a3d8e95d1e89075f13d89f2ed96276e13
                                                                                    • Instruction Fuzzy Hash: D2515070600244AFD710EF55CC8AFDAB7E8AB48305F5082BAF4049B751DA799E81CA59
                                                                                    Function 004019CC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 48memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                    • RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                    • LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                    • String ID: @I$PI$|I
                                                                                    • API String ID: 730355536-480730394
                                                                                    • Opcode ID: a4bc39b30c5ed4d75bf3f4cd8aa94f51fbbb45c94376e80eb638db1dc0cdf7cb
                                                                                    • Instruction ID: 94269b02b44d1611755d75869bdd1b1cad58823c34eb859de2800409b3eb1631
                                                                                    • Opcode Fuzzy Hash: a4bc39b30c5ed4d75bf3f4cd8aa94f51fbbb45c94376e80eb638db1dc0cdf7cb
                                                                                    • Instruction Fuzzy Hash: BC01C070644240AEFB19EB6B98027253ED4D799748F11883BF440A6AF1CABD4840CB6E
                                                                                    Function 00430E20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430E28
                                                                                    • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430E37
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00430E51
                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 00430E72
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                    • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                    • API String ID: 4130936913-2943970505
                                                                                    • Opcode ID: 4842943032f7e665edf48454b8f0668acbf12da500d71f69c3a659e3ac448604
                                                                                    • Instruction ID: 010e98d13399693fc9d497d8664f6f2789eb24ebecb377ca83b09cc51ba55008
                                                                                    • Opcode Fuzzy Hash: 4842943032f7e665edf48454b8f0668acbf12da500d71f69c3a659e3ac448604
                                                                                    • Instruction Fuzzy Hash: 58F082B09483408ED300EB768842B1E7BE4AB58718F404A3FB498A62A1D77A9910CB1F
                                                                                    Function 0045580C Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28,00000000), ref: 004559B6
                                                                                    • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455A28,00455A28,?,00455A28), ref: 004559C3
                                                                                      • Part of subcall function 00455778: WaitForInputIdle.USER32(?,00000032), ref: 004557A4
                                                                                      • Part of subcall function 00455778: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004557C6
                                                                                      • Part of subcall function 00455778: GetExitCodeProcess.KERNEL32(?,?), ref: 004557D5
                                                                                      • Part of subcall function 00455778: CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                    • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                    • API String ID: 854858120-615399546
                                                                                    • Opcode ID: 99fae97b2778a56f0e403b558964912234853eafbe1335a97924c35f5845655d
                                                                                    • Instruction ID: 0bf838f29b43a6125692e3b7c5bec048a51817b33ba316f47a5a27346a6aee42
                                                                                    • Opcode Fuzzy Hash: 99fae97b2778a56f0e403b558964912234853eafbe1335a97924c35f5845655d
                                                                                    • Instruction Fuzzy Hash: 34518B7060074DABDB00EF95D892BEEBBB9AF44305F50453BB804B7292D77C5E098759
                                                                                    Function 00423B1C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
                                                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423BD9
                                                                                    • OemToCharA.USER32(?,?), ref: 00423BEC
                                                                                    • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423C2C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Char$FileIconLoadLowerModuleName
                                                                                    • String ID: 2$MAINICON
                                                                                    • API String ID: 3935243913-3181700818
                                                                                    • Opcode ID: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
                                                                                    • Instruction ID: 9510fd107b4d1d478bc251de40ec4f21bd31917ac71a3749b9d0f73c54ce2f3c
                                                                                    • Opcode Fuzzy Hash: 1f82f7cb80c34b9ff5c46231264fdecee05270e1fe5ff3a7350c32b1cef790c9
                                                                                    • Instruction Fuzzy Hash: 1031C271A042549EDB10EF69D8C47C67BE8AF14308F4441BAE844DB293D7BEDA88CB55
                                                                                    Function 004193C8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcessId.KERNEL32(00000000), ref: 004193CD
                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 004193EE
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00419409
                                                                                    • GlobalAddAtomA.KERNEL32(00000000), ref: 0041942A
                                                                                      • Part of subcall function 00423558: GetDC.USER32(00000000), ref: 004235AE
                                                                                      • Part of subcall function 00423558: EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,?,00000001), ref: 004235C1
                                                                                      • Part of subcall function 00423558: GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
                                                                                      • Part of subcall function 00423558: ReleaseDC.USER32(00000000,00000000), ref: 004235D4
                                                                                      • Part of subcall function 00423B1C: LoadIconA.USER32(00400000,MAINICON), ref: 00423BAC
                                                                                      • Part of subcall function 00423B1C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423BD9
                                                                                      • Part of subcall function 00423B1C: OemToCharA.USER32(?,?), ref: 00423BEC
                                                                                      • Part of subcall function 00423B1C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419476,00000000,?,?,?,00000001), ref: 00423C2C
                                                                                      • Part of subcall function 0041F5A8: GetVersion.KERNEL32(?,00419480,00000000,?,?,?,00000001), ref: 0041F5B6
                                                                                      • Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5D2
                                                                                      • Part of subcall function 0041F5A8: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5DE
                                                                                      • Part of subcall function 0041F5A8: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5EC
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
                                                                                      • Part of subcall function 0041F5A8: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                    • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                    • API String ID: 316262546-2767913252
                                                                                    • Opcode ID: 0eaf2971df0e281bc12c3b4cdbea7c86a0ae7f77c1ec2d642d91beb276c542ff
                                                                                    • Instruction ID: 70937e91f797630ba3b8911ce9801afdb7ec3901755c8c3c4a5a11a92c11164f
                                                                                    • Opcode Fuzzy Hash: 0eaf2971df0e281bc12c3b4cdbea7c86a0ae7f77c1ec2d642d91beb276c542ff
                                                                                    • Instruction Fuzzy Hash: 92111A706182409AC300FF76D94279E3BE09B64309F80953FF449A72A2DB3DAD458B5F
                                                                                    Function 00413ACC Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowLongA.USER32(?,000000FC,?), ref: 00413AF4
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00413AFF
                                                                                    • GetWindowLongA.USER32(?,000000F4), ref: 00413B11
                                                                                    • SetWindowLongA.USER32(?,000000F4,?), ref: 00413B24
                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 00413B3B
                                                                                    • SetPropA.USER32(?,00000000,00000000), ref: 00413B52
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow$Prop
                                                                                    • String ID:
                                                                                    • API String ID: 3887896539-0
                                                                                    • Opcode ID: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
                                                                                    • Instruction ID: ae8f1583d3b1519aebe57cde2a9c9bb5e562c2388428f51edfa5c09d84851558
                                                                                    • Opcode Fuzzy Hash: 7ce4dc3fc8e6c19e22986d13dd13120370638c3e9722ee2c323b47d3b17dffc8
                                                                                    • Instruction Fuzzy Hash: 8B11FC75500204BFCB00DFD9DC84E9A3BE8EB19364F104266B918DB2A2D738E990CB94
                                                                                    Function 00473AB4 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473C61
                                                                                    • FindClose.KERNEL32(000000FF,00473C8C,00473C85,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473C7F
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041), ref: 00473D83
                                                                                    • FindClose.KERNEL32(000000FF,00473DAE,00473DA7,?,00000000,?,0049F1E4,00000000,00473E75,?,00000000,?,00000000,?,00474041,?), ref: 00473DA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID: @G
                                                                                    • API String ID: 2066263336-4243591082
                                                                                    • Opcode ID: 30e72000769ecd8747edea37e8ae5ea42668fd5edbaa2c4a10e356b9f75c56ee
                                                                                    • Instruction ID: 0da19416abf0173bdc8d3c7c7f8ad009371619145402d5c4f287baa4c6a871bb
                                                                                    • Opcode Fuzzy Hash: 30e72000769ecd8747edea37e8ae5ea42668fd5edbaa2c4a10e356b9f75c56ee
                                                                                    • Instruction Fuzzy Hash: 28C1393490424D9FCF11DFA5C881ADEBBB9BF4C304F5081AAE848B7291D738AA45DF58
                                                                                    Function 00455F08 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045609F,?,00000000,004560DF), ref: 00455FE5
                                                                                    Strings
                                                                                    • PendingFileRenameOperations, xrefs: 00455F84
                                                                                    • PendingFileRenameOperations2, xrefs: 00455FB4
                                                                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455F68
                                                                                    • WININIT.INI, xrefs: 00456014
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                    • API String ID: 47109696-2199428270
                                                                                    • Opcode ID: dd65a927c8202d6576da85be61899fba22282177789f466e3d1c2d21dff5240e
                                                                                    • Instruction ID: a4a9f2ec6dce7785653c913c6c24b0c1e176cc517468c749f5f74b0afa9d98e4
                                                                                    • Opcode Fuzzy Hash: dd65a927c8202d6576da85be61899fba22282177789f466e3d1c2d21dff5240e
                                                                                    • Instruction Fuzzy Hash: F551B430E002089BDB15EF62DD51ADEB7B9EF45705F50817BF904A72C2DB78AE49CA18
                                                                                    Function 0047EDD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE63
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0047EF26,?,?,00000000,0049E62C,00000000,00000000,?,0049B3BD,00000000,0049B566,?,00000000), ref: 0047EE6C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                    • API String ID: 1375471231-2952887711
                                                                                    • Opcode ID: 5f75c24b460723fcdfba9950ec6282d6ab576ec79b10eebf27e30941102b1c05
                                                                                    • Instruction ID: 86bef283ce988d733661aa3151468cc82572962b3dbe771d766a2fd360a5d677
                                                                                    • Opcode Fuzzy Hash: 5f75c24b460723fcdfba9950ec6282d6ab576ec79b10eebf27e30941102b1c05
                                                                                    • Instruction Fuzzy Hash: C6415674A001099BCB11FFA2D881ADEB7B9FF48305F50457BE404B7792DB38AE058B98
                                                                                    Function 00423F14 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumWindows.USER32(00423EAC), ref: 00423F38
                                                                                    • GetWindow.USER32(?,00000003), ref: 00423F4D
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 00423F5C
                                                                                    • SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnumLongWindows
                                                                                    • String ID: EB
                                                                                    • API String ID: 4191631535-4058845024
                                                                                    • Opcode ID: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
                                                                                    • Instruction ID: d60c47438ca5cb8406b8c3c26f1ac59805b97d32456ef5cb908caaf585e7f615
                                                                                    • Opcode Fuzzy Hash: 7748721dd5b0c1bbec3d319649027a89b4350bc13e845d744e86a3b3b16a9e4e
                                                                                    • Instruction Fuzzy Hash: E5115E71B04610AFDB109F28E989F5677F4EB08719F61066AF9649B2E2C378DC40CB58
                                                                                    Function 00458888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 004588B8
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 004588D9
                                                                                    • CloseHandle.KERNEL32(?,0045890C), ref: 004588FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                    • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                    • API String ID: 2573145106-3235461205
                                                                                    • Opcode ID: fdb0ddd07d4ece6ce0f391b1a38b1f4f1be975f371bc6d677540f7879a3b59b2
                                                                                    • Instruction ID: 5ab474d98eb3a0ece9291f621c53fee7be03ae90ebbbcbdbcbdfc60506012216
                                                                                    • Opcode Fuzzy Hash: fdb0ddd07d4ece6ce0f391b1a38b1f4f1be975f371bc6d677540f7879a3b59b2
                                                                                    • Instruction Fuzzy Hash: 5601A271600204AFDB11EBA98C02A6A73A8EB45715F60057AF810F73D3DE38AE04961D
                                                                                    Function 0042E2D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042E2E0
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E47B,00000000,0042E493,?,?,?,?,00000006,?,00000000,0049A6E1), ref: 0042E2FB
                                                                                    • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E301
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressDeleteHandleModuleProc
                                                                                    • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                    • API String ID: 588496660-1846899949
                                                                                    • Opcode ID: 362f5f100e4d63b612f5d27974d6092d6f3e2718a2a4fd0f8b39e618b9934fb6
                                                                                    • Instruction ID: 4593d6951ad1389f122581937974f3187b46c4a982a9796ded25b619d02fe20b
                                                                                    • Opcode Fuzzy Hash: 362f5f100e4d63b612f5d27974d6092d6f3e2718a2a4fd0f8b39e618b9934fb6
                                                                                    • Instruction Fuzzy Hash: 84E06571750234F6D674AA677C4AF97260CD764726F940837F545661D187BC1C40CA5C
                                                                                    Function 0046D0BC Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • PrepareToInstall failed: %s, xrefs: 0046D41A
                                                                                    • NextButtonClick, xrefs: 0046D1F8
                                                                                    • Need to restart Windows? %s, xrefs: 0046D441
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                    • API String ID: 0-2329492092
                                                                                    • Opcode ID: ef469ee75176051450cb679458c779bc7028ededccef5fce3df944d3c9e9f8ed
                                                                                    • Instruction ID: 44988f13848ffd89d71039ac62f11851b9b9fcebd064a36e5433384ef0c4aa5d
                                                                                    • Opcode Fuzzy Hash: ef469ee75176051450cb679458c779bc7028ededccef5fce3df944d3c9e9f8ed
                                                                                    • Instruction Fuzzy Hash: 4ED13E34E00109DFDB00EF99C585AEE77F5AB49308F6444B6E804AB352E778AE45CB5A
                                                                                    Function 00485444 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetActiveWindow.USER32(?,?,00000000,00485795), ref: 00485568
                                                                                    • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00485606
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveChangeNotifyWindow
                                                                                    • String ID: $Need to restart Windows? %s
                                                                                    • API String ID: 1160245247-4200181552
                                                                                    • Opcode ID: 1e1979376357e82a1df5b3065de956dd13f49fd1d1b5097a1eb1b6017058b574
                                                                                    • Instruction ID: 8ac728fbb8e3d27f98a22662cdea6886523d2868be6ee68a7c392ecda210aa03
                                                                                    • Opcode Fuzzy Hash: 1e1979376357e82a1df5b3065de956dd13f49fd1d1b5097a1eb1b6017058b574
                                                                                    • Instruction Fuzzy Hash: 1B91A034A006449FDB10EB69D885B9E77E1AF55308F5484BBE800DB366D73CA809CB5E
                                                                                    Function 00471340 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8
                                                                                    • GetLastError.KERNEL32(00000000,0047153D,?,?,0049F1E4,00000000), ref: 0047141A
                                                                                    • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471494
                                                                                    • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 004714B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                    • String ID: Creating directory: %s
                                                                                    • API String ID: 2451617938-483064649
                                                                                    • Opcode ID: 39fd96f3cb0bea3d1e654a5975a8f34390313c76b51c631fc27a31a828dc2e8a
                                                                                    • Instruction ID: 20bf2e2c57de6391f44c88e9dad00ec8a22121e450acada444c040a0f05f54d0
                                                                                    • Opcode Fuzzy Hash: 39fd96f3cb0bea3d1e654a5975a8f34390313c76b51c631fc27a31a828dc2e8a
                                                                                    • Instruction Fuzzy Hash: 94514634E00248ABDB01DFA9C982BDEB7F5AF48304F50847AE815B7392D7789E04CB59
                                                                                    Function 004555D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045567E
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00455744), ref: 004556E8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressByteCharMultiProcWide
                                                                                    • String ID: SfcIsFileProtected$sfc.dll
                                                                                    • API String ID: 2508298434-591603554
                                                                                    • Opcode ID: 93569c7702a32215d9d84021b822261e8f06fb092ff4323008fb0ad42e641dd6
                                                                                    • Instruction ID: 311e8501e48ef86dedbd1e32416f62ff44579e2f461d143f7aa5c8e880f43ce1
                                                                                    • Opcode Fuzzy Hash: 93569c7702a32215d9d84021b822261e8f06fb092ff4323008fb0ad42e641dd6
                                                                                    • Instruction Fuzzy Hash: FC418670A00718DBEB20EB55DC95BAD77B8AB04309F5041B7A908E7293D7785F48DA5C
                                                                                    Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                    • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitMessageProcess
                                                                                    • String ID: Error$Runtime error at 00000000
                                                                                    • API String ID: 1220098344-2970929446
                                                                                    • Opcode ID: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
                                                                                    • Instruction ID: d5004cfacfd42fd5c2be0182736057b03719568bea5446043c3b888183e5f090
                                                                                    • Opcode Fuzzy Hash: 3b61d1fed352f5282028831249daba76a748604d35a297349552cc65daff4f89
                                                                                    • Instruction Fuzzy Hash: AE21B360A442519AEB15E7B7EC857163BD197E9348F048177E700B73E3C6BC984487AE
                                                                                    Function 0042F1C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F241
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                      • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                                                      • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                                                    • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F224
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                    • API String ID: 395431579-1506664499
                                                                                    • Opcode ID: e7905e4fb646f7a17226d8edb8c7fa02bcfbc5e27ea7708b1a1daa0b213753d1
                                                                                    • Instruction ID: 6fa00d493cbbc8796123fe1d0635de5045be30c1a8ceda1a87749c26dfdb7117
                                                                                    • Opcode Fuzzy Hash: e7905e4fb646f7a17226d8edb8c7fa02bcfbc5e27ea7708b1a1daa0b213753d1
                                                                                    • Instruction Fuzzy Hash: 6501C434700758FBE711DB62EC42B5A7AF8DB56704FD000B7B00062691C6BA9D48862D
                                                                                    Function 00456240 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(?,004562AB,?,00000001,00000000), ref: 0045629E
                                                                                    Strings
                                                                                    • PendingFileRenameOperations2, xrefs: 0045627F
                                                                                    • PendingFileRenameOperations, xrefs: 00456270
                                                                                    • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 0045624C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                    • API String ID: 47109696-2115312317
                                                                                    • Opcode ID: 5fba846f718c07a23e1fe0a39e00e19641bb8bb1b86b0900bced3307de782ca4
                                                                                    • Instruction ID: 03744892537dc61f373a56118159d2a705b6a08e7bce835c08af8ac15a0ef851
                                                                                    • Opcode Fuzzy Hash: 5fba846f718c07a23e1fe0a39e00e19641bb8bb1b86b0900bced3307de782ca4
                                                                                    • Instruction Fuzzy Hash: 2EF09671204604AFDB05E7A6DC13B6B73ACD744715FE245B7F900C7682DAB9ED04962C
                                                                                    Function 00481F4C Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?,00000000), ref: 00481FF2
                                                                                    • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?,?), ref: 00481FFF
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497), ref: 004820F4
                                                                                    • FindClose.KERNEL32(000000FF,0048211F,00482118,?,?,?,?,00000000,00482145,?,00000000,00000000,?,?,00483497,?), ref: 00482112
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: 6ee02d32a7030f916274d5c0ebb928b8e1c7c4fd09cb9f284f296db661b75876
                                                                                    • Instruction ID: 08b9d9e684fed8dea23f8f184a6a28fa9329586f58159be8e4499552dc0984e9
                                                                                    • Opcode Fuzzy Hash: 6ee02d32a7030f916274d5c0ebb928b8e1c7c4fd09cb9f284f296db661b75876
                                                                                    • Instruction Fuzzy Hash: A8518F70A00648AFCB11EFA5CD45ADEB7B8EB49315F1084AAA908F7351D7389F85CF54
                                                                                    Function 00421704 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMenu.USER32(00000000), ref: 004217F1
                                                                                    • SetMenu.USER32(00000000,00000000), ref: 0042180E
                                                                                    • SetMenu.USER32(00000000,00000000), ref: 00421843
                                                                                    • SetMenu.USER32(00000000,00000000), ref: 0042185F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu
                                                                                    • String ID:
                                                                                    • API String ID: 3711407533-0
                                                                                    • Opcode ID: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
                                                                                    • Instruction ID: cda4d875d1f608ccb0f244f9e48059a425efb766f93e731c33a2d40a56ce0a72
                                                                                    • Opcode Fuzzy Hash: 4f4a6720c0d4240df17a752d101e3e079c79ea095c8752a38fea6d697220fe84
                                                                                    • Instruction Fuzzy Hash: 4641B230B002604BDB20BE3A98857DB36959FA1708F48047FB8408F3A7CA7DCC8587AD
                                                                                    Function 004176A8 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32 ref: 004176F0
                                                                                    • SetCursor.USER32(00000000), ref: 00417733
                                                                                    • GetLastActivePopup.USER32(?), ref: 0041775D
                                                                                    • GetForegroundWindow.USER32(?), ref: 00417764
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1959210111-0
                                                                                    • Opcode ID: a4fb18937cec8743a3fc16f56100b5299ac927794cf04a50c41a9805f93b61d1
                                                                                    • Instruction ID: 2e5a0fdf5ba03c47f255224e58a8cf5d0223c50b95843e628a0bc5c759944eb4
                                                                                    • Opcode Fuzzy Hash: a4fb18937cec8743a3fc16f56100b5299ac927794cf04a50c41a9805f93b61d1
                                                                                    • Instruction Fuzzy Hash: C521A1342086018ACB10EF2AD885ADB33B1AB54754F45456BE4658B3A2D73CFC80CB89
                                                                                    Function 00416FD2 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageA.USER32(?,?,?,?), ref: 00417014
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0041702E
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00417048
                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 00417070
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$CallMessageProcSendTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 601730667-0
                                                                                    • Opcode ID: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
                                                                                    • Instruction ID: 80572e548b46958a0d24f1498dfa195ce4484893cdd9813db9ff7b95e026d91f
                                                                                    • Opcode Fuzzy Hash: 9e3e2694ee45dac8d31a23f67f82d5f08d8b2d5533639d352c95bf2745043790
                                                                                    • Instruction Fuzzy Hash: A71151B5604700AFD710EE6ECD84E8B77EDDF49310B14882BB599DB612C62CEC418B79
                                                                                    Function 00423558 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 004235AE
                                                                                    • EnumFontsA.GDI32(00000000,00000000,004234F8,004108F0,00000000,?,?,00000000,?,00419463,00000000,?,?,?,00000001), ref: 004235C1
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004235C9
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004235D4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDeviceEnumFontsRelease
                                                                                    • String ID:
                                                                                    • API String ID: 2698912916-0
                                                                                    • Opcode ID: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
                                                                                    • Instruction ID: e37963186075478de4bf5b94465d182e7684c730ebf482ac601e72b604436184
                                                                                    • Opcode Fuzzy Hash: e97f28f260114bd4b50ee825155fd8757a5a43882207122cecfc92cdae6cf7ce
                                                                                    • Instruction Fuzzy Hash: B301D2A17043006AE700BF795D82B9B37649F00309F04467BF808AF3C2D67E9805476E
                                                                                    Function 00455778 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForInputIdle.USER32(?,00000032), ref: 004557A4
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004557C6
                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 004557D5
                                                                                    • CloseHandle.KERNEL32(?,00455802,004557FB,?,?,?,00000000,?,?,004559D7,?,?,?,00000044,00000000,00000000), ref: 004557F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                    • String ID:
                                                                                    • API String ID: 4071923889-0
                                                                                    • Opcode ID: d2c35b4b51abf6f32bd9a4a291a0d423bda07aba144e169426b374ee6062f7e7
                                                                                    • Instruction ID: 5ee05597952c7b60c0905264d30be017cf261a6af7f6414952b470fafc47fcf8
                                                                                    • Opcode Fuzzy Hash: d2c35b4b51abf6f32bd9a4a291a0d423bda07aba144e169426b374ee6062f7e7
                                                                                    • Instruction Fuzzy Hash: B801B970A40A18BEEB10D7A58C16F7BBBACDF49770F610567F904D72C2D5B85D00C668
                                                                                    Function 0047EF84 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CountSleepTick
                                                                                    • String ID:
                                                                                    • API String ID: 2227064392-0
                                                                                    • Opcode ID: 3ee4065037878166353eeadab2a9b946dbf004582adaa251f0c09bbff026a53d
                                                                                    • Instruction ID: 0807e7f7cf1e805980a62751cbb38808fe0fbb755af5a0e062f1309e6a3556a9
                                                                                    • Opcode Fuzzy Hash: 3ee4065037878166353eeadab2a9b946dbf004582adaa251f0c09bbff026a53d
                                                                                    • Instruction Fuzzy Hash: 3BE02B3230910065C72075BF18966BF498ACE89368F148BBFF088E7686C81C8C05957E
                                                                                    Function 0045CAF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B
                                                                                    • FlushFileBuffers.KERNEL32(?), ref: 0045CD29
                                                                                    Strings
                                                                                    • EndOffset range exceeded, xrefs: 0045CC5D
                                                                                    • NumRecs range exceeded, xrefs: 0045CC26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$BuffersFlush
                                                                                    • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                    • API String ID: 3593489403-659731555
                                                                                    • Opcode ID: 7bdf9f5c2d7decbff5cad6bd677d55b8b12acad9b253307a45fc7b54da2349b9
                                                                                    • Instruction ID: 31f4abf116af19d9e5b678acab2297332ff925687264b8022cc2431fdfe05cd7
                                                                                    • Opcode Fuzzy Hash: 7bdf9f5c2d7decbff5cad6bd677d55b8b12acad9b253307a45fc7b54da2349b9
                                                                                    • Instruction Fuzzy Hash: 95617234A002948FDB25DF25C891BDAB7B5AF49305F0084DAED899B352D674AEC8CF54
                                                                                    Function 0048594C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485985
                                                                                    • SetActiveWindow.USER32(?,00000000,00485AD6,?,00000000,00485B17,?,?,?,?,00000000,00000000,00000000,?,0046D345), ref: 00485997
                                                                                    Strings
                                                                                    • Will not restart Windows automatically., xrefs: 00485AB6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveForeground
                                                                                    • String ID: Will not restart Windows automatically.
                                                                                    • API String ID: 307657957-4169339592
                                                                                    • Opcode ID: 1b4f293c7cda8fe0f2b73a3215ff390e91ebe1b53693b929b84309b001fedd1a
                                                                                    • Instruction ID: f83d4e2d24e7b328884665d644b63d6f540d85ee55f206053ba059ac37762111
                                                                                    • Opcode Fuzzy Hash: 1b4f293c7cda8fe0f2b73a3215ff390e91ebe1b53693b929b84309b001fedd1a
                                                                                    • Instruction Fuzzy Hash: 5E411830204A40DFD715FB64DC85BAE7BE89B25308F5549B7E880D73A2D67C9848D71E
                                                                                    Function 0049BA2C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049BA3A), ref: 0040334B
                                                                                      • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049BA3A), ref: 00403356
                                                                                      • Part of subcall function 004063FC: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 00406417
                                                                                      • Part of subcall function 004063FC: GetVersion.KERNEL32(kernel32.dll,00000000,004066B9,?,?,?,?,00000000,?,0049BA44), ref: 0040641E
                                                                                      • Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00406433
                                                                                      • Part of subcall function 004063FC: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040645B
                                                                                      • Part of subcall function 00406854: 6FDA1CD0.COMCTL32(0049BA49), ref: 00406854
                                                                                      • Part of subcall function 00410BF4: GetCurrentThreadId.KERNEL32 ref: 00410C42
                                                                                      • Part of subcall function 004194D0: GetVersion.KERNEL32(0049BA62), ref: 004194D0
                                                                                      • Part of subcall function 0044FDB0: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
                                                                                      • Part of subcall function 0044FDB0: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1
                                                                                      • Part of subcall function 0045027C: GetVersionExA.KERNEL32(0049E794,0049BA7B), ref: 0045028B
                                                                                      • Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 004539EA
                                                                                      • Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004539F0
                                                                                      • Part of subcall function 004539C8: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453A86,?,?,?,?,00000000,00000000,?,0049BA8A), ref: 00453A04
                                                                                      • Part of subcall function 004539C8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453A0A
                                                                                      • Part of subcall function 004578E4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E
                                                                                      • Part of subcall function 00465A14: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
                                                                                      • Part of subcall function 00465A14: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65
                                                                                      • Part of subcall function 0046E39C: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7
                                                                                      • Part of subcall function 0047AD94: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
                                                                                      • Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
                                                                                      • Part of subcall function 0047AD94: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7
                                                                                      • Part of subcall function 004863AC: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF
                                                                                      • Part of subcall function 00498A20: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00498A39
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,0049BAF0), ref: 0049BAC2
                                                                                      • Part of subcall function 0049B7EC: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
                                                                                      • Part of subcall function 0049B7EC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC
                                                                                      • Part of subcall function 00424964: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424983
                                                                                      • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                                                    • ShowWindow.USER32(?,00000005,00000000,0049BAF0), ref: 0049BB23
                                                                                      • Part of subcall function 00484988: SetActiveWindow.USER32(?), ref: 00484A36
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorFormatLibraryLineLoadMessageModeRegisterSendShowTextThread
                                                                                    • String ID: Setup
                                                                                    • API String ID: 56708735-3839654196
                                                                                    • Opcode ID: 6ba6eeb17e57b3b34fa12513dac6b1566c15f48df1299484f225080e77927bd7
                                                                                    • Instruction ID: 45436910a3e38556774c512443cf6fe356218821253e756f5799c0333a1408c1
                                                                                    • Opcode Fuzzy Hash: 6ba6eeb17e57b3b34fa12513dac6b1566c15f48df1299484f225080e77927bd7
                                                                                    • Instruction Fuzzy Hash: 5F31D2752046009EC601BBB7F95391D3BA8EB99708BA2443FF804D6663DF3D6814CA7E
                                                                                    Function 004863AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00485E4D
                                                                                      • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00485E5A
                                                                                      • Part of subcall function 00485E3C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00485E68
                                                                                      • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00485E70
                                                                                      • Part of subcall function 00485E3C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00485E7C
                                                                                      • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00485E9D
                                                                                      • Part of subcall function 00485E3C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00485EB0
                                                                                      • Part of subcall function 00485E3C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00485EB6
                                                                                      • Part of subcall function 00486178: GetVersionExA.KERNEL32(?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 00486186
                                                                                      • Part of subcall function 00486178: GetVersionExA.KERNEL32(0000009C,?,004863E2,00000000,00486504,?,?,?,?,00000000,00000000,?,0049BAAD), ref: 004861D8
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                      • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                                                      • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 004864DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
                                                                                    • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                    • API String ID: 1303913335-2936008475
                                                                                    • Opcode ID: 637719a5ba0adfa7681f0a9afeab55b07e8530d1645ca554c85bf0b631666052
                                                                                    • Instruction ID: 0a3b8753df86b64a0abe51da698ff3945e27f94a4f66e9c257dfb1cfa232dc74
                                                                                    • Opcode Fuzzy Hash: 637719a5ba0adfa7681f0a9afeab55b07e8530d1645ca554c85bf0b631666052
                                                                                    • Instruction Fuzzy Hash: 2A315EB06002019EC740FFBA999674A3BA4DB5430CB91897BF400FB3D2D77DA8099B5E
                                                                                    Function 00454220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00454266
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045430F,?,?,00000000,0049E62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045426F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID: .tmp
                                                                                    • API String ID: 1375471231-2986845003
                                                                                    • Opcode ID: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
                                                                                    • Instruction ID: 415d91b16f05740ba1416afe7bf5adb9ba5615b539517dd81add0c9acb6d8760
                                                                                    • Opcode Fuzzy Hash: a088e9ad1ac8c859f830a6b38babd2e41a4a9b8bfeab7a1983125dd9a2918e27
                                                                                    • Instruction Fuzzy Hash: C9216775A002189BDB01EFA1C8429DFB7B8EB84309F50457BFC01BB342D63C9E458B65
                                                                                    Function 00455A8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00455B28
                                                                                    • GetLastError.KERNEL32(0000003C,00000000,00455B71,?,?,?), ref: 00455B39
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                    • String ID: <
                                                                                    • API String ID: 893404051-4251816714
                                                                                    • Opcode ID: c50f21546f4a27cfb3d5a4e560d7eced4bdfd09bf0ee539d11d307cdbb0718c2
                                                                                    • Instruction ID: 999fafdfd618aac71dabfb14027d48496d6343d42a6da5b956ec7361bda3743f
                                                                                    • Opcode Fuzzy Hash: c50f21546f4a27cfb3d5a4e560d7eced4bdfd09bf0ee539d11d307cdbb0718c2
                                                                                    • Instruction Fuzzy Hash: 48216570A00609AFDB10DF65D8926AE7BF8EF05345F50443BF844E7291D7789E49CB58
                                                                                    Function 004578E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00457874: CoInitialize.OLE32(00000000), ref: 0045787A
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                      • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                                                      • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                                                    • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 0045793E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
                                                                                    • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                    • API String ID: 1013667774-2320870614
                                                                                    • Opcode ID: 0349290ed20e92ff684190e882672b249dcdfa4bc8c592d39d2db1d5cb0ccb5a
                                                                                    • Instruction ID: 883c9a478e7d65875247b88054ead2603694175a92ab65d05d339cd7b334e9d1
                                                                                    • Opcode Fuzzy Hash: 0349290ed20e92ff684190e882672b249dcdfa4bc8c592d39d2db1d5cb0ccb5a
                                                                                    • Instruction Fuzzy Hash: F7F03670604608ABE700EBA6E842F5D77ACDB45759F604077B800B2692D67CAE08C96D
                                                                                    Function 0046E39C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                      • Part of subcall function 0042E824: SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                                                      • Part of subcall function 0042E824: LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                                                    • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046E3E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
                                                                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                    • API String ID: 2552568031-2683653824
                                                                                    • Opcode ID: 2c8b75446194b5ce1b4fb7c86c3932591323869d4d9cfc2fa83a4b1930e98425
                                                                                    • Instruction ID: 1520e6e4c9beca3123f98d7cbe6aabbef4d784ad694bed30d21e1b99286f75d0
                                                                                    • Opcode Fuzzy Hash: 2c8b75446194b5ce1b4fb7c86c3932591323869d4d9cfc2fa83a4b1930e98425
                                                                                    • Instruction Fuzzy Hash: 48F04434604618BBDB00EB63DC42F5E7BECD745754FA14076F400A6591EA78AE048969
                                                                                    Function 0047E814 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047EB66,00000000,0047EB7C), ref: 0047E876
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: RegisteredOrganization$RegisteredOwner
                                                                                    • API String ID: 3535843008-1113070880
                                                                                    • Opcode ID: f1a962627f2d876420563db9898fc9a4512616cdaa59049c23a95abd11bd46b4
                                                                                    • Instruction ID: 7230bcb305953dbfdc536c8ede0a4f62da6dd01636a6d4693cd9d102c919f290
                                                                                    • Opcode Fuzzy Hash: f1a962627f2d876420563db9898fc9a4512616cdaa59049c23a95abd11bd46b4
                                                                                    • Instruction Fuzzy Hash: F7F0B430B04104AFEB04E6A6ED82BEB379DC715308F2095BBE505DB392D678ED05979E
                                                                                    Function 00477208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 0047722D
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047743F), ref: 00477244
                                                                                      • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateErrorFileHandleLast
                                                                                    • String ID: CreateFile
                                                                                    • API String ID: 2528220319-823142352
                                                                                    • Opcode ID: fecc3e4213b3a2f4b5095da10d6265088b0456b23de6781498b6538f6683fff6
                                                                                    • Instruction ID: 90e4e6ff62ef8f0e28f50a913bfb33107960128ee808bbf2bf0dc207e29e0456
                                                                                    • Opcode Fuzzy Hash: fecc3e4213b3a2f4b5095da10d6265088b0456b23de6781498b6538f6683fff6
                                                                                    • Instruction Fuzzy Hash: A6E06D306883447BEA20EA69DCC6F4A77889B04768F108152FA58AF3E3C5B9EC408658
                                                                                    Function 00484014 Relevance: 4.6, APIs: 3, Instructions: 108windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemMenu.USER32(00000000,00000000,00000000,00484171), ref: 00484109
                                                                                    • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0048411A
                                                                                    • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00484132
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Append$System
                                                                                    • String ID:
                                                                                    • API String ID: 1489644407-0
                                                                                    • Opcode ID: dc8b36ddd18fed80e840ee8cbe9b889ef4cf18149991e537b86b896238235e1c
                                                                                    • Instruction ID: ab56d251ed543ba42b2362adab02e381b7ffec43a0f0b9b6508873944b2238f1
                                                                                    • Opcode Fuzzy Hash: dc8b36ddd18fed80e840ee8cbe9b889ef4cf18149991e537b86b896238235e1c
                                                                                    • Instruction Fuzzy Hash: DD3104707043455AD711FB369C86BAF3A549BA2308F50493FF900AB3D3DA7C9849879D
                                                                                    Function 00452CE8 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • 755A1520.VERSION(00000000,?,?,?,?), ref: 00452D08
                                                                                    • 755A1500.VERSION(00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D35
                                                                                    • 755A1540.VERSION(?,00452DAC,?,?,00000000,?,00000000,?,00000000,00452D83,?,00000000,?,?,?,?), ref: 00452D4F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: A1500A1520A1540
                                                                                    • String ID:
                                                                                    • API String ID: 2563864905-0
                                                                                    • Opcode ID: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
                                                                                    • Instruction ID: ddd73f9b83f47df12750701182fb86573bb1adbd0e7288047a879799487d3de5
                                                                                    • Opcode Fuzzy Hash: 0b168feaf9c1533958fb5e02aa9a5501c5ad47ec3a54fa228dfedbb3323d7179
                                                                                    • Instruction Fuzzy Hash: EE216871A005086FD701DAA98D41DAFB7FCDB46711F554477FC04E3242D6799E08C769
                                                                                    Function 0044B8C0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0044B935
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0044B958
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0044B98B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectReleaseSelect
                                                                                    • String ID:
                                                                                    • API String ID: 1831053106-0
                                                                                    • Opcode ID: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
                                                                                    • Instruction ID: 5f6416779418d586cf190573f7bf4a7bb4d400156242e88c08e8c7aea5cbb268
                                                                                    • Opcode Fuzzy Hash: e4822f2f27a90c0759968424fd043719417fa313c55766f7b6e2e713107b7c51
                                                                                    • Instruction Fuzzy Hash: C62177B0E04308AFEB11DFA5C881B9EBBB8EB49304F5184BAF500A7291D77CD940CB59
                                                                                    Function 0044B5F4 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B680,?,004849A3,?,?), ref: 0044B652
                                                                                    • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B665
                                                                                    • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B699
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText$ByteCharMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 65125430-0
                                                                                    • Opcode ID: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
                                                                                    • Instruction ID: 1ea4d790d63f24178cbae964d575408221d26853f0f73c11de666758b6730ab2
                                                                                    • Opcode Fuzzy Hash: 63c04f90603744f798e42aba6243c37eae4be5ab149869f7acaebc15ddea55e3
                                                                                    • Instruction Fuzzy Hash: D111B6B27046047FE710DAAA9C82D6FB7ECDB49724F10457AF504E7290DA399E018A69
                                                                                    Function 0042488C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004248A2
                                                                                    • TranslateMessage.USER32(?), ref: 0042491F
                                                                                    • DispatchMessageA.USER32(?), ref: 00424929
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchPeekTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 4217535847-0
                                                                                    • Opcode ID: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
                                                                                    • Instruction ID: 2fd165f6649a427b3319829ae0df7e0e74220d275175f78bf4976128ec8e280a
                                                                                    • Opcode Fuzzy Hash: 217a056534c9592df3de3b745a25b010ee0154ab168cb63c5ecf066f178eda2d
                                                                                    • Instruction Fuzzy Hash: 9711C4703053605ADA20E634A9417ABB7C4CFC3704F82481EF9D987392D37D9D89879A
                                                                                    Function 00416AD4 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetPropA.USER32(00000000,00000000), ref: 00416AFA
                                                                                    • SetPropA.USER32(00000000,00000000), ref: 00416B0F
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416B36
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Prop$Window
                                                                                    • String ID:
                                                                                    • API String ID: 3363284559-0
                                                                                    • Opcode ID: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
                                                                                    • Instruction ID: f49ac21c72ec4198518a05967b53ec16f1ca927682628d76ec8ffae5e4f9a687
                                                                                    • Opcode Fuzzy Hash: d713cafafaca0930c04d6cb39f3c322ae331ae37b9587890123c67b5c3bff97d
                                                                                    • Instruction Fuzzy Hash: 75F0B271741220AFD710AB9A8C85FA633DCAB19715F160176BD09EF286C678DC41C7A8
                                                                                    Function 004014E4 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 37memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$AllocFree
                                                                                    • String ID: @I
                                                                                    • API String ID: 2087232378-2158259926
                                                                                    • Opcode ID: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
                                                                                    • Instruction ID: 9ed38fc533d8e4e5af650f240f956f2e356275670cbb68eb90ec247bb51ad9a4
                                                                                    • Opcode Fuzzy Hash: b520bc60e33c723c5354926e54c9cb4ec67acca134fd7c558003b77a2e03234b
                                                                                    • Instruction Fuzzy Hash: 27F0A772B0073067EB60596A4C81F5359C49FC5794F154076FD0DFF3E9D6B58C0142A9
                                                                                    Function 0041F2E4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 0041F2F4
                                                                                    • IsWindowEnabled.USER32(?), ref: 0041F2FE
                                                                                    • EnableWindow.USER32(?,00000000), ref: 0041F324
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnableEnabledVisible
                                                                                    • String ID:
                                                                                    • API String ID: 3234591441-0
                                                                                    • Opcode ID: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
                                                                                    • Instruction ID: 461c9e3a5a3bf819d65056d8b2c697f5f692a305fcbbe48695acf38c0ff2848d
                                                                                    • Opcode Fuzzy Hash: 75da7560ddbcbd352d2b263d7a30c73b5df1f70394dc16e5d6cfb5f5cdd4f04a
                                                                                    • Instruction Fuzzy Hash: E1E0EDB4101204AAE710AB76DCC1A56779CFB54354F818437AC159B293DA3DE8459A78
                                                                                    Function 004857DC Relevance: 4.5, APIs: 3, Instructions: 25threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(00000000,00000000,?,?,00485841,?,00485926,?,?,00000000), ref: 004857E2
                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 004857F4
                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,00485841,?,00485926,?,?,00000000), ref: 004857FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessWindow$CurrentForegroundThread
                                                                                    • String ID:
                                                                                    • API String ID: 3477312055-0
                                                                                    • Opcode ID: 6e67e8149cf5a01702616cad57e910a63f766d549bd07a817adf652c20dda587
                                                                                    • Instruction ID: 523e74d697393ed7390f8d3cca0328cdbccf98bf1b1c3bd702a2d3cece28b4de
                                                                                    • Opcode Fuzzy Hash: 6e67e8149cf5a01702616cad57e910a63f766d549bd07a817adf652c20dda587
                                                                                    • Instruction Fuzzy Hash: 0AD0C233506A296EAE10F5E55C818AFB38CCD00258310013BF800E2241EA389E018BBD
                                                                                    Function 0046B48C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetActiveWindow.USER32(?), ref: 0046B59D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveWindow
                                                                                    • String ID: PrepareToInstall
                                                                                    • API String ID: 2558294473-1101760603
                                                                                    • Opcode ID: b184f9229ac57079df9824c21a263787cf477840f3fbe0e73b73eb5256184af0
                                                                                    • Instruction ID: 9c4de3a34cf21b6e24293c3d3d67b4a45744630319032f52af5f41d45ffacd39
                                                                                    • Opcode Fuzzy Hash: b184f9229ac57079df9824c21a263787cf477840f3fbe0e73b73eb5256184af0
                                                                                    • Instruction Fuzzy Hash: BCA1D934A00149DFDB00EB99D885ADEB7F5EF48304F5580B6E404AB362D738AE85DB99
                                                                                    Function 0046DA68 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: /:*?"<>|
                                                                                    • API String ID: 0-4078764451
                                                                                    • Opcode ID: 3b50f59aec496a8989247f3adf0d13f7ce007eff31ac5cc73b38b9e918f1ce4b
                                                                                    • Instruction ID: 22b3f1929e021f6f40635d01a394a5d43b9513f85f4c159b635f57eab84c9b9b
                                                                                    • Opcode Fuzzy Hash: 3b50f59aec496a8989247f3adf0d13f7ce007eff31ac5cc73b38b9e918f1ce4b
                                                                                    • Instruction Fuzzy Hash: 8371C870F44248ABEB20EB66CC82FDE77A19B40704F108467F500BB396E7B96D46875E
                                                                                    Function 00484988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetActiveWindow.USER32(?), ref: 00484A36
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveWindow
                                                                                    • String ID: InitializeWizard
                                                                                    • API String ID: 2558294473-2356795471
                                                                                    • Opcode ID: ce5772b33dfc62d27e95c6e56de5c2e16f5cf13a841588af1a5fcc63d6e58d0a
                                                                                    • Instruction ID: 9663d0bfca85fd8d9c68d73251753a4714549ba788b257aa0fdf1999294ad1b6
                                                                                    • Opcode Fuzzy Hash: ce5772b33dfc62d27e95c6e56de5c2e16f5cf13a841588af1a5fcc63d6e58d0a
                                                                                    • Instruction Fuzzy Hash: D9116D30644144DFD304FB2AFC46A5A77E8E765718F61843BE404CB7A2EA39EC048B6D
                                                                                    Function 0047EFD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    • Failed to remove temporary directory: , xrefs: 0047F03B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountTick
                                                                                    • String ID: Failed to remove temporary directory:
                                                                                    • API String ID: 536389180-3544197614
                                                                                    • Opcode ID: d0dc8b420729fd18a96083deb835dde03aa8bc5f079c07cd3f63dad70c1d5f3f
                                                                                    • Instruction ID: 10464d96ae179446fb6f2714f36ca4494fa7676316bc04ad9894fbff967ea339
                                                                                    • Opcode Fuzzy Hash: d0dc8b420729fd18a96083deb835dde03aa8bc5f079c07cd3f63dad70c1d5f3f
                                                                                    • Instruction Fuzzy Hash: 23019630214244AADB11EB71DC07F9A37A8AB45709F50447BF504E66A3DBBD9D0C859D
                                                                                    Function 0047E730 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047E97C,00000000,0047EB7C), ref: 0047E775
                                                                                    Strings
                                                                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047E745
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                    • API String ID: 47109696-1019749484
                                                                                    • Opcode ID: 1661c66ce92b8be75005f45435d1dd50f0418280590df7619ac825ccfbc0d4a5
                                                                                    • Instruction ID: a9f283cd3a80185a7eeae6af9f057f4917a41fcfe10abca868fc5e90a7391123
                                                                                    • Opcode Fuzzy Hash: 1661c66ce92b8be75005f45435d1dd50f0418280590df7619ac825ccfbc0d4a5
                                                                                    • Instruction Fuzzy Hash: 7CF082357042146BDA04A65F5C42BAEA79D8B88758F2041BBF908DB342DAB99E0203AD
                                                                                    Function 00470584 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,?,0049F1E4,?,004708E0,?,00000000,00470E9F,?,_is1), ref: 004705A7
                                                                                    Strings
                                                                                    • Inno Setup: Setup Version, xrefs: 004705A5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value
                                                                                    • String ID: Inno Setup: Setup Version
                                                                                    • API String ID: 3702945584-4166306022
                                                                                    • Opcode ID: 65721742f7e512d27ed5dd98e1fd79e27b470269e4a1a6d13b159dcf7a98e169
                                                                                    • Instruction ID: e2b9726969cadf35a54cc0b9c41f3637184491e7e0aa8a2d8a80b038b226dd63
                                                                                    • Opcode Fuzzy Hash: 65721742f7e512d27ed5dd98e1fd79e27b470269e4a1a6d13b159dcf7a98e169
                                                                                    • Instruction Fuzzy Hash: C0E06D713422047BD710AA2A9C85F9BABDDDF88765F00803AF90CDB392D578DD0086A8
                                                                                    Function 004705F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,00470CB7,?,?,00000000,00470E9F,?,_is1,?), ref: 00470607
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value
                                                                                    • String ID: NoModify
                                                                                    • API String ID: 3702945584-1699962838
                                                                                    • Opcode ID: 0244ceced9a2fa6cefac3a6cd879e87dd8628e8dbcc7d54f36b9873f4b9d1e71
                                                                                    • Instruction ID: d5770e1f7431411e42dd6826dd8125d0bf9ffab3ab2c5cc5a764c212a1aa88fa
                                                                                    • Opcode Fuzzy Hash: 0244ceced9a2fa6cefac3a6cd879e87dd8628e8dbcc7d54f36b9873f4b9d1e71
                                                                                    • Instruction Fuzzy Hash: FBE04FB0641308FFEB04DB55CD4AF6AB7ECDB48714F108059BA089B380E674EE008A68
                                                                                    Function 0042E2AC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    Strings
                                                                                    • System\CurrentControlSet\Control\Windows, xrefs: 0042E2C6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Open
                                                                                    • String ID: System\CurrentControlSet\Control\Windows
                                                                                    • API String ID: 71445658-1109719901
                                                                                    • Opcode ID: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
                                                                                    • Instruction ID: 56e59db3f123c5f73e455ef79faaa31902e81261c81f50e50b595f428ef93046
                                                                                    • Opcode Fuzzy Hash: ed255555a649cb1171c21319c526f46fc311307b4f4854cf2574364da4ece07e
                                                                                    • Instruction Fuzzy Hash: 6FD0C772510128BBD701DA89DC41EFB775DDB15760F40401BFD1497141C2B4EC5197F4
                                                                                    Function 004548FC Relevance: 3.2, APIs: 2, Instructions: 200fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00454B42,?,00000000,00454BB6,?,?,-00000001,00000000,?,0047F037,00000000,0047EF84,00000000), ref: 00454B1E
                                                                                    • FindClose.KERNEL32(000000FF,00454B49,00454B42,?,00000000,00454BB6,?,?,-00000001,00000000,?,0047F037,00000000,0047EF84,00000000,00000000), ref: 00454B3C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: 4e8067bbe925b8099d9bb623a548fd9c4b051316528c6eb9e5753e9485e9b4f8
                                                                                    • Instruction ID: 0a8a6d2e4ba1183b98523bb6c8f5e257ece7ffcf1ec6bc8b68957d5ee00727fa
                                                                                    • Opcode Fuzzy Hash: 4e8067bbe925b8099d9bb623a548fd9c4b051316528c6eb9e5753e9485e9b4f8
                                                                                    • Instruction Fuzzy Hash: 7181863090424D9FCF11DFA5C845BEFBB75AF89309F1440A6D8546B392D339AE8ACB58
                                                                                    Function 004806B8 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetACP.KERNEL32(?,?,00000001,00000000,00480997,?,-0000001A,0048289A,-00000010,?,00000004,0000001C,00000000,00482C37,?,0045E3F8), ref: 0048072E
                                                                                      • Part of subcall function 0042E7AC: GetDC.USER32(00000000), ref: 0042E7BB
                                                                                      • Part of subcall function 0042E7AC: EnumFontsA.GDI32(?,00000000,0042E798,00000000,00000000,0042E804,?,00000000,00000000,?,00000001,00000000,00000002,00000000,0048361D), ref: 0042E7E6
                                                                                      • Part of subcall function 0042E7AC: ReleaseDC.USER32(00000000,?), ref: 0042E7FE
                                                                                    • SendNotifyMessageA.USER32(00020434,00000496,00002711,-00000001), ref: 004808FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                    • String ID:
                                                                                    • API String ID: 2649214853-0
                                                                                    • Opcode ID: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
                                                                                    • Instruction ID: d9213170d9bb76dc80c92ed06a2bbf1e51aab055aabe148a8f981411f3335874
                                                                                    • Opcode Fuzzy Hash: 1709ff10a59be4cecabd083e4b30542a8388fbd88fe320f99732743ee2b207fe
                                                                                    • Instruction Fuzzy Hash: 925185746101049BDB50FF26D88165E77A9BB54309B50893BE8049B367CB3CED4ECB9D
                                                                                    Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0049E420,00000000,004021FC), ref: 004020CB
                                                                                      • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                      • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                      • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                      • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                    • String ID:
                                                                                    • API String ID: 296031713-0
                                                                                    • Opcode ID: 547a076aece2b5fcd0bfa9c0aac183852627f31bce113781b835fdbf9e3dd56e
                                                                                    • Instruction ID: 61fc07f4a870d1560c8aa4f523a2630168574f360eba5de965793f91e9822c8e
                                                                                    • Opcode Fuzzy Hash: 547a076aece2b5fcd0bfa9c0aac183852627f31bce113781b835fdbf9e3dd56e
                                                                                    • Instruction Fuzzy Hash: CF41D4B2E00311DFEB10CF6ADD8521A77A4F7A8324B15457BD854A77E2D379A841CB88
                                                                                    Function 0042E090 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E0CC
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E1C8), ref: 0042E13C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue
                                                                                    • String ID:
                                                                                    • API String ID: 3660427363-0
                                                                                    • Opcode ID: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
                                                                                    • Instruction ID: ac779da0cea268326c2a6d460357836690a2c7bc48c0bb75f71a4d6dd427c8e5
                                                                                    • Opcode Fuzzy Hash: 84705cc745a76f35316d583d44dda58a4a0f4931e2014e09282529c66a3fa9aa
                                                                                    • Instruction Fuzzy Hash: F6415D71E00129ABDB11DE92D881BBFB7B9AB00704F94447AE804F7281D738AE44CBA5
                                                                                    Function 0042E350 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042E466,?,?,00000008,00000000,00000000,0042E493), ref: 0042E3FC
                                                                                    • RegCloseKey.ADVAPI32(?,0042E46D,?,00000000,00000000,00000000,00000000,00000000,0042E466,?,?,00000008,00000000,00000000,0042E493), ref: 0042E460
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseEnum
                                                                                    • String ID:
                                                                                    • API String ID: 2818636725-0
                                                                                    • Opcode ID: fa7b8aa53ee7ed02c032eaa39f31234bc7758460d74c10b5987e4d789d3aebc4
                                                                                    • Instruction ID: c57d505b7e12c2329f504d1e3b149ed6cec6ff6ac1a6ebf5d9e543ab8edb9358
                                                                                    • Opcode Fuzzy Hash: fa7b8aa53ee7ed02c032eaa39f31234bc7758460d74c10b5987e4d789d3aebc4
                                                                                    • Instruction Fuzzy Hash: 51316670B04254AEDB11EFA3DC52BAEB7B9EB45705F90407BA500F3291D6789E01CA29
                                                                                    Function 00452FC0 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458B08,00000000,00458AF0,?,?,?,00000000,0045303A,?,?,?,00000001), ref: 00453014
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,?,00458B08,00000000,00458AF0,?,?,?,00000000,0045303A,?,?,?,00000001), ref: 0045301C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 2919029540-0
                                                                                    • Opcode ID: 1ed47ecc46c0bf5cd3daff6898ffeca838763f7d9f929970af0b480151df693b
                                                                                    • Instruction ID: 40d7024e4d16b92ea7ab131ffee0136a49eeacae8a41eb0ea1d4695c7838d43a
                                                                                    • Opcode Fuzzy Hash: 1ed47ecc46c0bf5cd3daff6898ffeca838763f7d9f929970af0b480151df693b
                                                                                    • Instruction Fuzzy Hash: 6B113972600208AF8B40DEA9EC41D9FB7ECEB4D751B11456AFD08E3242D678AE149B68
                                                                                    Function 0040B268 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040B282
                                                                                    • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B3DF,00000000,0040B3F7,?,?,?,00000000), ref: 0040B293
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindFree
                                                                                    • String ID:
                                                                                    • API String ID: 4097029671-0
                                                                                    • Opcode ID: 56b5692d0589e69d78817d1186c68a61f8e6556489325b11d82404695b0d2b2e
                                                                                    • Instruction ID: 695c6acfda2bd8b41d5000065fdd751145cb6e9c132907bad199632a3a3e20ef
                                                                                    • Opcode Fuzzy Hash: 56b5692d0589e69d78817d1186c68a61f8e6556489325b11d82404695b0d2b2e
                                                                                    • Instruction Fuzzy Hash: 9701F7717003046FD700EF66DC52D1A77ADDB49758711807BF500EB2D0D6799C01D66D
                                                                                    Function 0041F334 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0041F383
                                                                                    • EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$CurrentEnumWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2396873506-0
                                                                                    • Opcode ID: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
                                                                                    • Instruction ID: 69490fc5d8632824c24a89202964c68dfb33a06c8812e8dd8cc51cc2245d12bd
                                                                                    • Opcode Fuzzy Hash: 8784a61061ea2f72866c7836b43b9cd2818a747c771340166bb5f43570082ce4
                                                                                    • Instruction Fuzzy Hash: E7016D75A04608BFD701CF76EC5195ABBF8E789720B62C877E804D3790E7386811DE18
                                                                                    Function 00453458 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 0045349A
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,004534C0), ref: 004534A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastMove
                                                                                    • String ID:
                                                                                    • API String ID: 55378915-0
                                                                                    • Opcode ID: b3d88b043bf69f21064a5473936cb69d1348d378adddd7a633f0eaebba2410c7
                                                                                    • Instruction ID: 5a71c9ebfc6e30e6f75dea94ac3527a97129e64dc0aec59c9e94cd5048fba101
                                                                                    • Opcode Fuzzy Hash: b3d88b043bf69f21064a5473936cb69d1348d378adddd7a633f0eaebba2410c7
                                                                                    • Instruction Fuzzy Hash: FD01DB71B04204BB8701DF796C4146EB7ECDB49756750457BFC08E3642D67C5E045558
                                                                                    Function 0040170C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeVirtual
                                                                                    • String ID: @I
                                                                                    • API String ID: 1263568516-2158259926
                                                                                    • Opcode ID: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
                                                                                    • Instruction ID: 4f728963ec5fa8eda03367237536c92bed861ff5ff18aa36a9f69eb769fc07b0
                                                                                    • Opcode Fuzzy Hash: 11f6be92898c399badff9446a2108036f08e0859c2581f6b6d69b6d4b53dce9c
                                                                                    • Instruction Fuzzy Hash: 9301FC766442148FC310DE29DCC0E2677E8D794378F15453EDA85673A1D37A6C0187D9
                                                                                    Function 00452F48 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00452FA7), ref: 00452F81
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00452FA7), ref: 00452F89
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1375471231-0
                                                                                    • Opcode ID: db6932f6b027ed1704279e5e79b9cc55823b6615b8642c0941efde25b3278b31
                                                                                    • Instruction ID: cf61ce5d280b64ea4255fcfe7f7ba91008230ec5b979775999a4ad96c0828db4
                                                                                    • Opcode Fuzzy Hash: db6932f6b027ed1704279e5e79b9cc55823b6615b8642c0941efde25b3278b31
                                                                                    • Instruction Fuzzy Hash: B0F02872A04204BFCB00EF75BD4259EB3F8EB0A311B5045B7FC04E3282E7B94E149698
                                                                                    Function 004530E0 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileA.KERNEL32(00000000,00000000,0045313D,?,-00000001,?), ref: 00453117
                                                                                    • GetLastError.KERNEL32(00000000,00000000,0045313D,?,-00000001,?), ref: 0045311F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 2018770650-0
                                                                                    • Opcode ID: c0c268e0788fadecf48912b47924655526509dff47509f76e4f7180b5ae9d9df
                                                                                    • Instruction ID: 81c0bdea8a0994a861ca8edc2f0ad378144066bfaf6b8ff8599f6d62d0773b7c
                                                                                    • Opcode Fuzzy Hash: c0c268e0788fadecf48912b47924655526509dff47509f76e4f7180b5ae9d9df
                                                                                    • Instruction Fuzzy Hash: D5F04C71A00B04AFCB00EF75AC4149EB7ECDB0975275045B7FC04E3242E63C5F145558
                                                                                    Function 004535E8 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RemoveDirectoryA.KERNEL32(00000000,00000000,00453645,?,-00000001,00000000), ref: 0045361F
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00453645,?,-00000001,00000000), ref: 00453627
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryErrorLastRemove
                                                                                    • String ID:
                                                                                    • API String ID: 377330604-0
                                                                                    • Opcode ID: 281b6115856e50ec5a76d0e7eaf010015dd6e4eeee3dcebc9605da0f3deaf5af
                                                                                    • Instruction ID: d4adb31c026f3fa451eddbaf1019c3137852e3bc79311a962629eb31c94406ba
                                                                                    • Opcode Fuzzy Hash: 281b6115856e50ec5a76d0e7eaf010015dd6e4eeee3dcebc9605da0f3deaf5af
                                                                                    • Instruction Fuzzy Hash: 00F0C871A04704BF8B10DFB5AC4249EB7E8EB0975676045BBFC04E3742E6785E049598
                                                                                    Function 004236CC Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004236D9
                                                                                    • LoadCursorA.USER32(00000000,00000000), ref: 00423703
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorLoad
                                                                                    • String ID:
                                                                                    • API String ID: 3238433803-0
                                                                                    • Opcode ID: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
                                                                                    • Instruction ID: 38849c99451a314d8fe435546c8a0ff0f6ed66ecc1deebef06b1f4ec46e3768a
                                                                                    • Opcode Fuzzy Hash: 435632a159b4ee3f4de27f3f53cb37f8d356402f2aecc44b66926b1db8d28f8a
                                                                                    • Instruction Fuzzy Hash: 5FF0A7617041206BD620593E6CC1D2A76AC8B81B35F61033BFA2BD73D1C66E6D41416D
                                                                                    Function 0042E824 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00008000), ref: 0042E82E
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,0042E878,?,00000000,0042E896,?,00008000), ref: 0042E85D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLibraryLoadMode
                                                                                    • String ID:
                                                                                    • API String ID: 2987862817-0
                                                                                    • Opcode ID: 1a6091ce078db88393fc002325d20e82ca7bdc15aaa61f0720148644d5cbec67
                                                                                    • Instruction ID: d8a4edba93e6b3564287fdd291ee362a4641d771db482aeeea55453c97403edd
                                                                                    • Opcode Fuzzy Hash: 1a6091ce078db88393fc002325d20e82ca7bdc15aaa61f0720148644d5cbec67
                                                                                    • Instruction Fuzzy Hash: 49F08270B14744BEDB116F779C6282BBBECE749B1079249B6F800A3691E63C88108928
                                                                                    Function 0046F6F0 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(?,0046F786), ref: 0046F6FA
                                                                                    • CoCreateInstance.OLE32(0049CBA0,00000000,00000001,0049CBB0,?,?,0046F786), ref: 0046F716
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInstanceVersion
                                                                                    • String ID:
                                                                                    • API String ID: 1462612201-0
                                                                                    • Opcode ID: 27d9c8de699d70c3af72ca495f1d6c89b44d9af8c0a5d583989dd02520804707
                                                                                    • Instruction ID: 332733ba3b7aad20b23de4c2050fe78918fd3c6ecf1ada1e8d4443b9132fd7c7
                                                                                    • Opcode Fuzzy Hash: 27d9c8de699d70c3af72ca495f1d6c89b44d9af8c0a5d583989dd02520804707
                                                                                    • Instruction Fuzzy Hash: CCF03771245241AEEF14DB29EC46B4537D46711715F504077E084C7292E269949A9B1E
                                                                                    Function 0047EAC5 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetKnownFolderPath.SHELL32(0049CD58,00008000,00000000,?), ref: 0047EAD5
                                                                                    • CoTaskMemFree.OLE32(?,0047EB18), ref: 0047EB0B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderFreeKnownPathTask
                                                                                    • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                    • API String ID: 969438705-544719455
                                                                                    • Opcode ID: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
                                                                                    • Instruction ID: 165899f7cf3a7d3cc2084f0fc85f54689cbe0ef7c4de0502b74dd13bf0a7d919
                                                                                    • Opcode Fuzzy Hash: dcdb464d46d000a45e9e512131e32681938e3456e18d581bde74e904f3b66734
                                                                                    • Instruction Fuzzy Hash: C9E06D31340640AEEB11CA629C12B597BA8EB89B14BA184B3F500E6694D679AE009A58
                                                                                    Function 004510D0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,004719AD,?,00000000), ref: 004510E6
                                                                                    • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,004719AD,?,00000000), ref: 004510EE
                                                                                      • Part of subcall function 00450E8C: GetLastError.KERNEL32(00450CA8,00450F4E,?,00000000,?,0049ACB0,00000001,00000000,00000002,00000000,0049AE11,?,?,00000005,00000000,0049AE45), ref: 00450E8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FilePointer
                                                                                    • String ID:
                                                                                    • API String ID: 1156039329-0
                                                                                    • Opcode ID: 450b94a7bac9282d6b7fae5146a6d08691660aeb69b5e3714ccfa6e1fcf1c045
                                                                                    • Instruction ID: 35e945613fc18ccecab22534e9d11e811fcb2dd239ff33a76439916eeb31a03f
                                                                                    • Opcode Fuzzy Hash: 450b94a7bac9282d6b7fae5146a6d08691660aeb69b5e3714ccfa6e1fcf1c045
                                                                                    • Instruction Fuzzy Hash: 78E012B5305201ABE710EA7599C2F2B22D8DB44715F11846AF944CB197D6B4CC858B25
                                                                                    Function 00485810 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 0048581A
                                                                                    • GetTickCount.KERNEL32 ref: 00485811
                                                                                      • Part of subcall function 004857DC: GetForegroundWindow.USER32(00000000,00000000,?,?,00485841,?,00485926,?,?,00000000), ref: 004857E2
                                                                                      • Part of subcall function 004857DC: GetWindowThreadProcessId.USER32(00000000,?), ref: 004857F4
                                                                                      • Part of subcall function 004857DC: GetCurrentProcessId.KERNEL32(00000000,?,00000000,00000000,?,?,00485841,?,00485926,?,?,00000000), ref: 004857FD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountProcessTickWindow$CurrentForegroundThread
                                                                                    • String ID:
                                                                                    • API String ID: 711787588-0
                                                                                    • Opcode ID: cd128b87f03e26c07bc9ddebb4882c5e6374aa137d56e38f5b9439cafc6adf35
                                                                                    • Instruction ID: 37c01992473dcd2b03ae1706136aad3bc8c67510e2e6962acbf28b70736c28fa
                                                                                    • Opcode Fuzzy Hash: cd128b87f03e26c07bc9ddebb4882c5e6374aa137d56e38f5b9439cafc6adf35
                                                                                    • Instruction Fuzzy Hash: 47D0C944601A9285DD8036B7968722E05089FD135CF905C7FB84A9A187DD5C4425837F
                                                                                    Function 00408A6C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,00408BA2), ref: 00408A8B
                                                                                      • Part of subcall function 0040727C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00407299
                                                                                      • Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                    • String ID:
                                                                                    • API String ID: 1658689577-0
                                                                                    • Opcode ID: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
                                                                                    • Instruction ID: 1a1ee965da3d5e477180f9d3e1b3e31d3a1d40cbd97d3d5e52e02950362564b9
                                                                                    • Opcode Fuzzy Hash: e3bde22edff9b95fb01644fc2752e12edfd564b8e42cb00d732a26da313984e4
                                                                                    • Instruction Fuzzy Hash: A7314F75E001099BCF00EB95C8819EEB779EF84314F51857BE814BB286E738AE458B99
                                                                                    Function 0042002C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 004200C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoScroll
                                                                                    • String ID:
                                                                                    • API String ID: 629608716-0
                                                                                    • Opcode ID: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
                                                                                    • Instruction ID: fb0b6b32162d284d5e4e4472e465846aa9f3b1678ed1a2f027c040ff7edaf6c0
                                                                                    • Opcode Fuzzy Hash: 4038a9721f8deaf5412c4e17f668d42a633933aac620105991029e29eea6c581
                                                                                    • Instruction Fuzzy Hash: 4E214FB1604755AFD340DF39A44076ABBE4BB48314F04892EE098C3341E779E995CBD6
                                                                                    Function 0046D9FC Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041F334: GetCurrentThreadId.KERNEL32 ref: 0041F383
                                                                                      • Part of subcall function 0041F334: EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389
                                                                                    • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046DA5A,?,00000000,?,?,0046DC6C,?,00000000,0046DCE0), ref: 0046DA3E
                                                                                      • Part of subcall function 0041F3E8: IsWindow.USER32(?), ref: 0041F3F6
                                                                                      • Part of subcall function 0041F3E8: EnableWindow.USER32(?,00000001), ref: 0041F405
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3319771486-0
                                                                                    • Opcode ID: 14c83a23c86b42327ca1301f62a4784445c04927232d49b89820285b89b2dd83
                                                                                    • Instruction ID: 0c208c65a233b0f8173889f0c0708269dbf0c44dae4fff659f8412be6aa39092
                                                                                    • Opcode Fuzzy Hash: 14c83a23c86b42327ca1301f62a4784445c04927232d49b89820285b89b2dd83
                                                                                    • Instruction Fuzzy Hash: EEF0FA31B4C340AFEB00ABA1AC06B2ABBA8E308B01F60443BF400C2181E57968448A2E
                                                                                    Function 004169E0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416A15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 66225c5018934712ca213f7cbc9da523afb779e1f1452fe3fdaea1241b34de43
                                                                                    • Instruction ID: 5ef094d12f7d71e5830b73219e88c414bb2d46ce683ba0b40c209d6d3be90de3
                                                                                    • Opcode Fuzzy Hash: 66225c5018934712ca213f7cbc9da523afb779e1f1452fe3fdaea1241b34de43
                                                                                    • Instruction Fuzzy Hash: 26F025B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD261EC108BB1
                                                                                    Function 00414E44 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414E7F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                    • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                    • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                    • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                    Function 00450F9C Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450FDC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 9fba401eb2ef93c052fefded133532dd7b7648c4e12e3770cd5a720851f907d3
                                                                                    • Instruction ID: 0bb8bc98a2ce5191ccdfd632eb20aa7c5cb2b99e9b0e2766e1f3384ce1d09118
                                                                                    • Opcode Fuzzy Hash: 9fba401eb2ef93c052fefded133532dd7b7648c4e12e3770cd5a720851f907d3
                                                                                    • Instruction Fuzzy Hash: 28E092B13401483ED340DFAC7C81F9237CC931A314F008033B948D7241C4619D118BA8
                                                                                    Function 0042D15C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,0042D1A4,?,00000001,?,?,00000000,?,0042D1F6,00000000,004531FD,00000000,0045321E,?,00000000), ref: 0042D187
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 903deb7c357a97288009f492f09628cced8166dd51312c4c1ea7dcc362f41a01
                                                                                    • Instruction ID: 90f30b3d4511ddb26d4e54eb5cb5bde7ef97429f4a5987d97ea56347c6c51953
                                                                                    • Opcode Fuzzy Hash: 903deb7c357a97288009f492f09628cced8166dd51312c4c1ea7dcc362f41a01
                                                                                    • Instruction Fuzzy Hash: C0E09B71704344BFD701FF62DC53E5ABBECDB49714BA14476B404D7691D5785E10C468
                                                                                    Function 0042ED58 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FormatMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1306739567-0
                                                                                    • Opcode ID: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
                                                                                    • Instruction ID: e79f09bbc4d4bb3d85d444e79d719d693aec0fec5ee663d6819558c24f001612
                                                                                    • Opcode Fuzzy Hash: 1828867668d4f08c7f2c42ac7f7c8b165bd44dc6f1d36d1d73a42743962ef3e6
                                                                                    • Instruction Fuzzy Hash: F1E0206179471226F23515566C43B77160E43C0704F94403A7F40DD3D3D6AE9906425E
                                                                                    Function 0041B400 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041B42B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExtentPointText
                                                                                    • String ID:
                                                                                    • API String ID: 566491939-0
                                                                                    • Opcode ID: 97ef2b47204d9ad8b68a2942e27bd59d3a2041fe26efab6d88411218ff44afed
                                                                                    • Instruction ID: 057afb1858efcd2ad2350c2ac732019e343566302d0f77af58694ac232672b8c
                                                                                    • Opcode Fuzzy Hash: 97ef2b47204d9ad8b68a2942e27bd59d3a2041fe26efab6d88411218ff44afed
                                                                                    • Instruction Fuzzy Hash: B0E04FA17087206B9200A67E5D8199B66CCCA49229314813AB458E7393DB28DE0142EE
                                                                                    Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExA.USER32(00000000,00423B0C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00406329
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 716092398-0
                                                                                    • Opcode ID: 8af83935ca987eeebb979c0a6a94b74e9f9155cd6b79be10dcadafa6e5b8a04f
                                                                                    • Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
                                                                                    • Opcode Fuzzy Hash: 8af83935ca987eeebb979c0a6a94b74e9f9155cd6b79be10dcadafa6e5b8a04f
                                                                                    • Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1
                                                                                    Function 0042E274 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E2A0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create
                                                                                    • String ID:
                                                                                    • API String ID: 2289755597-0
                                                                                    • Opcode ID: 0176313b990e627144a98c563797b2aa94ba8c1742ed393e805deb037db11557
                                                                                    • Instruction ID: 044d428b259045dd8d70169eba5582473f2465fe40b566e0c3803628c0088fca
                                                                                    • Opcode Fuzzy Hash: 0176313b990e627144a98c563797b2aa94ba8c1742ed393e805deb037db11557
                                                                                    • Instruction Fuzzy Hash: 95E07EB6600119AF9B40DE8DDC81EEB37ADAB5D350F444016FA08E7200C2B8EC519BB4
                                                                                    Function 004553F4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindClose.KERNEL32(00000000,000000FF,00472354,00000000,00473170,?,00000000,004731B9,?,00000000,004732F2,?,00000000,?,00000000), ref: 0045540A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFind
                                                                                    • String ID:
                                                                                    • API String ID: 1863332320-0
                                                                                    • Opcode ID: dbe37320a215cb843e9f424c364f8bba77f010dfc7f79665774246dff0b1e36e
                                                                                    • Instruction ID: 28e14624e7d984739f20d0e4d86e518db2bc554dea3c65e8367e83ac0f5ee186
                                                                                    • Opcode Fuzzy Hash: dbe37320a215cb843e9f424c364f8bba77f010dfc7f79665774246dff0b1e36e
                                                                                    • Instruction Fuzzy Hash: EDE09B70904A004BC714DF3A948031A76D19F89321F04C66ABC98CB3D7D73C84495617
                                                                                    Function 00414B0C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(00498852,?,00498874,?,?,00000000,00498852,?,?), ref: 00414B2B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                    • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                    • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                    • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                    Function 004073A0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004073B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite
                                                                                    • String ID:
                                                                                    • API String ID: 3934441357-0
                                                                                    • Opcode ID: 803a6739d4a2560f638b2739305ab39b64de9ba4a7bf4e405682762548192292
                                                                                    • Instruction ID: 517e21fc39e357fcc75414f86969db1bfc0739985e912eef881c3d4632b4c6ac
                                                                                    • Opcode Fuzzy Hash: 803a6739d4a2560f638b2739305ab39b64de9ba4a7bf4e405682762548192292
                                                                                    • Instruction Fuzzy Hash: 74D012723181506AE220A55A5C44EAB6EDCCBC5770F10063AB958D21C1D6309C01C675
                                                                                    Function 00423ADC Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00423A88: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A9D
                                                                                    • ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7
                                                                                      • Part of subcall function 00423AB8: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423AD4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoParametersSystem$ShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3202724764-0
                                                                                    • Opcode ID: 0cd5f38af876faa104da453c3b02373ae7a31cfe7914aa4df65171e45d68c077
                                                                                    • Instruction ID: a4d1e59934daad15499cd62f29d800d7a8388f589a5efdc182870931650505b7
                                                                                    • Opcode Fuzzy Hash: 0cd5f38af876faa104da453c3b02373ae7a31cfe7914aa4df65171e45d68c077
                                                                                    • Instruction Fuzzy Hash: 81D05B127411702102107A7B2405A8B45AC4D9225B384047BB48097303D95D4D0552A8
                                                                                    Function 00424754 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 530164218-0
                                                                                    • Opcode ID: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
                                                                                    • Instruction ID: 9eeed77ebbf23638ebb637759628e88e4fff7ef3ebed755505968d13fb2e7b10
                                                                                    • Opcode Fuzzy Hash: 805f3cc7500933323b9257a6a261a55e12d82397c97f56fe04234c9d564d4e6f
                                                                                    • Instruction Fuzzy Hash: 44D05EE2B011702BCB01BAAD54C4AC667CC8B8925AB1940BBF904EF257C738CE408398
                                                                                    Function 0042D1FC Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,?,0045342D,00000000,00453446,?,-00000001,00000000), ref: 0042D207
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: c860e2c6e03ca3fb19b396a5e4710b087dd49fd69e91bb9f8b7fb5f13938e17a
                                                                                    • Instruction ID: e5f2e3cc9ba97ef7900907df2193dd237fa001b37e9b2d68f150ea36bea2ffb0
                                                                                    • Opcode Fuzzy Hash: c860e2c6e03ca3fb19b396a5e4710b087dd49fd69e91bb9f8b7fb5f13938e17a
                                                                                    • Instruction Fuzzy Hash: 6AD012D075521055DE1469FD2CC635701884B6D335BA49AB7F968E72E3D23DC957103C
                                                                                    Function 0042D1B4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00451DA3,00000000), ref: 0042D1BF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile
                                                                                    • String ID:
                                                                                    • API String ID: 3188754299-0
                                                                                    • Opcode ID: 9afb64f53aacb95ad88602b653b60a1b48c040b901375925a2d955906b4b4b37
                                                                                    • Instruction ID: de8bff456184001464f3abbdb54ffbc0c147f56bb2634b1a4235557a7056eb2a
                                                                                    • Opcode Fuzzy Hash: 9afb64f53aacb95ad88602b653b60a1b48c040b901375925a2d955906b4b4b37
                                                                                    • Instruction Fuzzy Hash: 81C08CE0712210169E10A5BD2CC652B02C84A5833A3A40A37B429E66E2D23D88662029
                                                                                    Function 00467FCC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,?,00468D7C,00000000,00000000,00000000,0000000C,00000000,00000000,0046A02D), ref: 00467FE4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                    • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                    • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                    • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                    Function 00407350 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB64,0040D110,?,00000000,?), ref: 0040736D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile
                                                                                    • String ID:
                                                                                    • API String ID: 823142352-0
                                                                                    • Opcode ID: 6df07167fcbbb1abe9a8d9004c2f8e03f6698eab998c13cf44a7632a4752909a
                                                                                    • Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
                                                                                    • Opcode Fuzzy Hash: 6df07167fcbbb1abe9a8d9004c2f8e03f6698eab998c13cf44a7632a4752909a
                                                                                    • Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C
                                                                                    Function 0041F82C Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?,?,00000000), ref: 0041F840
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallbackDispatcherUser
                                                                                    • String ID:
                                                                                    • API String ID: 2492992576-0
                                                                                    • Opcode ID: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
                                                                                    • Instruction ID: 48f25c4fc7afed193c39a16cc91a0304f94a1296cd048c63733264e3b5f0309e
                                                                                    • Opcode Fuzzy Hash: aa2ab5d04534ce78fd06398472ac87fc8e200d4b6eb1d54961e47d4e7a3c3f50
                                                                                    • Instruction Fuzzy Hash: D2D0C932100108AFDB018E94AC018677B69EB48210B148815FD0485221D633E831AA91
                                                                                    Function 00451104 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B
                                                                                      • Part of subcall function 00450E8C: GetLastError.KERNEL32(00450CA8,00450F4E,?,00000000,?,0049ACB0,00000001,00000000,00000002,00000000,0049AE11,?,?,00000005,00000000,0049AE45), ref: 00450E8F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 734332943-0
                                                                                    • Opcode ID: 2f66420dfdec2ee722637dd7a077e757eb137bea55ce6f4fccac44aeccfb3de3
                                                                                    • Instruction ID: b009645766b32297bd0322e78edf4af2955e4b8d8b267255ddd48f13edbe2cec
                                                                                    • Opcode Fuzzy Hash: 2f66420dfdec2ee722637dd7a077e757eb137bea55ce6f4fccac44aeccfb3de3
                                                                                    • Instruction Fuzzy Hash: 66C04C65300500478F10A6AE89C2A0763E85F4D30631045A6B904DF217D668D8048A18
                                                                                    Function 004073E0 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile
                                                                                    • String ID:
                                                                                    • API String ID: 4033686569-0
                                                                                    • Opcode ID: 82f694a863dc49a2ead69e0db5442f46faaad9dac0c4b5c637e63aceca805bd3
                                                                                    • Instruction ID: b32d93fc701aa1162a174406e7d11ef14f94d69b7075bb962530761d6eacc69a
                                                                                    • Opcode Fuzzy Hash: 82f694a863dc49a2ead69e0db5442f46faaad9dac0c4b5c637e63aceca805bd3
                                                                                    • Instruction Fuzzy Hash: 5BB012E13D320A26CA0079FE4CC191B00CC46297063405A3A3406E71C3DC3CC8180414
                                                                                    Function 00407738 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetCurrentDirectoryA.KERNEL32(00000000,?,0049AC3E,00000000,0049AE11,?,?,00000005,00000000,0049AE45,?,?,00000000), ref: 00407743
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID:
                                                                                    • API String ID: 1611563598-0
                                                                                    • Opcode ID: 3b93a0dfb35fa201a37191345c3ab32b9803f1abf024df2cdbebea3e02f12497
                                                                                    • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                    • Opcode Fuzzy Hash: 3b93a0dfb35fa201a37191345c3ab32b9803f1abf024df2cdbebea3e02f12497
                                                                                    • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                    Function 0042E87F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(?,0042E89D), ref: 0042E890
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode
                                                                                    • String ID:
                                                                                    • API String ID: 2340568224-0
                                                                                    • Opcode ID: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
                                                                                    • Instruction ID: 8695c582b33247a37f73f24666a6b5554d32f9d966171ece6814e81b39e17e84
                                                                                    • Opcode Fuzzy Hash: 3f5ca8107a421579e24e876ed9f2491131596575bec673942313541f3fe4ade1
                                                                                    • Instruction Fuzzy Hash: 49B09B76F0C6005DF705DAD5745552D67D4D7C57203E14977F150D35C0D53C5800491C
                                                                                    Function 0047F300 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(00000000,00483DC7), ref: 0047F316
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 3664257935-0
                                                                                    • Opcode ID: c82dc4aeedbf938c409e6b66584d0beb53fb63e458894fa2f7e97c12e968b9c4
                                                                                    • Instruction ID: e3d190257c31651db73aae4ff86ccfd61f916686ee2403822ab607267c8570d6
                                                                                    • Opcode Fuzzy Hash: c82dc4aeedbf938c409e6b66584d0beb53fb63e458894fa2f7e97c12e968b9c4
                                                                                    • Instruction Fuzzy Hash: 1CC00271511200AED750DF74AD4475537D4A714325F1A8437580CC3162D6348858CB08
                                                                                    Function 00484004 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageA.USER32(00000000,00000012,00000000,00000000), ref: 0048400C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: a751295757735ff6c790e46f6dde2af5113bf0d12bfbe9ad9f6b3ad6a5037895
                                                                                    • Instruction ID: 99d67813a2b21335afc3d4281e01727494b67aba3c321737ecd4854f4d206f17
                                                                                    • Opcode Fuzzy Hash: a751295757735ff6c790e46f6dde2af5113bf0d12bfbe9ad9f6b3ad6a5037895
                                                                                    • Instruction Fuzzy Hash: 5EA002343D530570F470A2514D03F5400001744F15EE1405573093D0C304D92428201E
                                                                                    Function 00416A7C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DestroyWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3375834691-0
                                                                                    • Opcode ID: 9d6690cf9d3310b1ea67583473288d09d9a8b553081644455fd58860a5b2f519
                                                                                    • Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
                                                                                    • Opcode Fuzzy Hash: 9d6690cf9d3310b1ea67583473288d09d9a8b553081644455fd58860a5b2f519
                                                                                    • Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58
                                                                                    Function 0047FFCC Relevance: 1.4, APIs: 1, Instructions: 157COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,004801B7,?,?,?,?,00000000,00000000,00000000,00000000), ref: 00480171
                                                                                      • Part of subcall function 0042CE90: GetSystemMetrics.USER32(0000002A), ref: 0042CEA2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMetricsMultiSystemWide
                                                                                    • String ID:
                                                                                    • API String ID: 224039744-0
                                                                                    • Opcode ID: 59cea89bbdd5c19ee4f47b7d0abf19149fa8ac6bd20fa7e2b79ca0ef4c8b40d2
                                                                                    • Instruction ID: a974f5bf07a37da488768178b96e9deed466dec51ed031b3472a20c2266c578e
                                                                                    • Opcode Fuzzy Hash: 59cea89bbdd5c19ee4f47b7d0abf19149fa8ac6bd20fa7e2b79ca0ef4c8b40d2
                                                                                    • Instruction Fuzzy Hash: 8551B670610245AFDB20EF95E884B9EB7F8EB19304F114577E800E73A2C739AD49CB59
                                                                                    Function 0041F854 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F234,?,00423D1F,0042409C,0041F234), ref: 0041F872
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 4275171209-0
                                                                                    • Opcode ID: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
                                                                                    • Instruction ID: f08fc093bd3761fae95f56252c9cb4b1dce7b9a4e026fad3115f2fcf1a938b7c
                                                                                    • Opcode Fuzzy Hash: e9b0f0e9299e17d878422f97f99b00588243c29834ad84fb5cccc8c64114728c
                                                                                    • Instruction Fuzzy Hash: CC115A746007059BDB10EF1AC880B82FBE4EFA9350F10C53AE9588F385D774E849CBA9
                                                                                    Function 0045379C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00453805), ref: 004537E7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1452528299-0
                                                                                    • Opcode ID: 544b47dc5bc5d2f2413b2081e143b2f92e92cc70b3939a84da48f96d0e7136c3
                                                                                    • Instruction ID: cb4131d2e651d1d846aaeffdd441063052296316b0d396e6bd3d8335f5975378
                                                                                    • Opcode Fuzzy Hash: 544b47dc5bc5d2f2413b2081e143b2f92e92cc70b3939a84da48f96d0e7136c3
                                                                                    • Instruction Fuzzy Hash: BA012076A04208AF8711DF69AC014EEFBF8EB4D7617208677FC54D3382D7744E0596A4

                                                                                    Non-executed Functions

                                                                                    Function 0041F5A8 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(?,00419480,00000000,?,?,?,00000001), ref: 0041F5B6
                                                                                    • SetErrorMode.KERNEL32(00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5D2
                                                                                    • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5DE
                                                                                    • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419480,00000000,?,?,?,00000001), ref: 0041F5EC
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F61C
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F645
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F65A
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F66F
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F684
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F699
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F6AE
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F6C3
                                                                                    • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F6D8
                                                                                    • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6ED
                                                                                    • FreeLibrary.KERNEL32(00000001,?,00419480,00000000,?,?,?,00000001), ref: 0041F6FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                    • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                    • API String ID: 2323315520-3614243559
                                                                                    • Opcode ID: 33460e22c6d984604fdeeed4fe87ec1b4a719b1ffb8e720c5d59225cddce5dcb
                                                                                    • Instruction ID: ada4b9d978a757ba6954df3af716d105719faea7ce3d9b9d26d7a4626bcf7c8a
                                                                                    • Opcode Fuzzy Hash: 33460e22c6d984604fdeeed4fe87ec1b4a719b1ffb8e720c5d59225cddce5dcb
                                                                                    • Instruction Fuzzy Hash: 093112B1600610BBD710EBB1ACC6A653294F76C724795097BF144D71A2E77CA84A8F1C
                                                                                    Function 00458E58 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTickCount.KERNEL32 ref: 00458EBF
                                                                                    • QueryPerformanceCounter.KERNEL32(00000000,00000000,00459152,?,?,00000000,00000000,?,0045984E,?,00000000,00000000), ref: 00458EC8
                                                                                    • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000), ref: 00458ED2
                                                                                    • GetCurrentProcessId.KERNEL32(?,00000000,00000000,00459152,?,?,00000000,00000000,?,0045984E,?,00000000,00000000), ref: 00458EDB
                                                                                    • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458F51
                                                                                    • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,00000000,00000000), ref: 00458F5F
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FA7
                                                                                    • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,004590FD,?,00000000,C0000000,00000000,0049CB28,00000003,00000000,00000000,00000000,0045910E), ref: 00458FE0
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459089
                                                                                    • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 004590BF
                                                                                    • CloseHandle.KERNEL32(000000FF,00459104,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004590F7
                                                                                      • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                    • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                    • API String ID: 770386003-3271284199
                                                                                    • Opcode ID: bf010c9dc0fbc9528bb4a7e5a0de4c0a10ec8652292661c695760a4f496735e0
                                                                                    • Instruction ID: 040c0b68ca5c8794fa0f134b015e2131507262e67e069d6a1689acc5a442bbd1
                                                                                    • Opcode Fuzzy Hash: bf010c9dc0fbc9528bb4a7e5a0de4c0a10ec8652292661c695760a4f496735e0
                                                                                    • Instruction Fuzzy Hash: 9C710170A00754AEDB11DF65CC45B9EB7F8AB05705F1084AAF908FB282DB785944CF69
                                                                                    Function 0047A678 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0047A4E4: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02117A00,?,?,?,02117A00,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
                                                                                      • Part of subcall function 0047A4E4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
                                                                                      • Part of subcall function 0047A4E4: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A00,?,?,?,02117A00,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
                                                                                      • Part of subcall function 0047A4E4: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A00,?,?,?,02117A00), ref: 0047A540
                                                                                      • Part of subcall function 0047A4E4: CloseHandle.KERNEL32(00000000,?,?,?,02117A00,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E
                                                                                      • Part of subcall function 0047A5BC: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,0047A64E,?,?,?,02117A00,?,0047A6B0,00000000,0047A7C6,?,?,?,?), ref: 0047A5EC
                                                                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0047A700
                                                                                    • GetLastError.KERNEL32(00000000,0047A7C6,?,?,?,?), ref: 0047A709
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047A756
                                                                                    • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047A77A
                                                                                    • CloseHandle.KERNEL32(00000000,0047A7AB,00000000,00000000,000000FF,000000FF,00000000,0047A7A4,?,00000000,0047A7C6,?,?,?,?), ref: 0047A79E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                    • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                    • API String ID: 883996979-221126205
                                                                                    • Opcode ID: 147f5565539b44b8db8ca6112fe7192f6c22d73c7f8c3a6dd827646d92a9462a
                                                                                    • Instruction ID: 0d6525aa7dba4a670bafe224496e1c5a7b1f34ed0ce7a0cdec9df710ef63790c
                                                                                    • Opcode Fuzzy Hash: 147f5565539b44b8db8ca6112fe7192f6c22d73c7f8c3a6dd827646d92a9462a
                                                                                    • Instruction Fuzzy Hash: 15315871900204AFDB15EFA5C842ADEB7B8EF84318F50843BF518E7282D77C99158B5A
                                                                                    Function 00418814 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 00418823
                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 00418840
                                                                                    • GetWindowRect.USER32(?), ref: 0041885C
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0041886A
                                                                                    • GetWindowLongA.USER32(?,000000F8), ref: 0041887F
                                                                                    • ScreenToClient.USER32(00000000), ref: 00418888
                                                                                    • ScreenToClient.USER32(00000000,?), ref: 00418893
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                    • String ID: ,
                                                                                    • API String ID: 2266315723-3772416878
                                                                                    • Opcode ID: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
                                                                                    • Instruction ID: 4677e2b8f0f91e01fbb11cd2367981c379ed87121ba2a99f8ef1be567d42c28b
                                                                                    • Opcode Fuzzy Hash: dac5a07ef4df856ef257039b4bd7ee432e64e833f517036103e80ee43864890f
                                                                                    • Instruction Fuzzy Hash: 5A11E971505201AFDB00EF69C885F9B77E8AF49314F140A7EB958DB296D738D900CB69
                                                                                    Function 0042F75C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 0042F784
                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 0042F798
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0042F7AF
                                                                                    • GetActiveWindow.USER32 ref: 0042F7B8
                                                                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F7E5
                                                                                    • SetActiveWindow.USER32(?,0042F915,00000000,?), ref: 0042F806
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveLong$IconicMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1633107849-0
                                                                                    • Opcode ID: 59304190847aac26e0075f57bafe87f7c31a57b7a7a7829f8250f9d0c6767a26
                                                                                    • Instruction ID: 13cdee708698089d3899b8003c30923a51aeb8c8037ba69dea4574f539849007
                                                                                    • Opcode Fuzzy Hash: 59304190847aac26e0075f57bafe87f7c31a57b7a7a7829f8250f9d0c6767a26
                                                                                    • Instruction Fuzzy Hash: C6319371A00614AFDB01EFB6DC52D5EBBF8EB09304B9144BAF804E3292D7389D15CB18
                                                                                    Function 00455E14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29
                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455E42
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E69
                                                                                    • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455E6E
                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00455E7F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                    • String ID: SeShutdownPrivilege
                                                                                    • API String ID: 107509674-3733053543
                                                                                    • Opcode ID: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
                                                                                    • Instruction ID: 6597e5a33764c8e3d598d3dac94519450192e65d962eb3d098ce792c7942ec46
                                                                                    • Opcode Fuzzy Hash: f3ce414a9ae8b0176eb463264ebd8cf1f04669fa35e8fb9271cfad6052cd7978
                                                                                    • Instruction Fuzzy Hash: 08F06270294B02B9E620A7718C17F3B31CC9B40B59F54092ABD05EA1C3E7BCD6088A7A
                                                                                    Function 0049AF28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244,?,?,00000000,0049E62C), ref: 0049AF7F
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049B002
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000), ref: 0049B01A
                                                                                    • FindClose.KERNEL32(000000FF,0049B045,0049B03E,?,00000000,?,00000000,0049B066,?,?,00000000,0049E62C,?,0049B1F0,00000000,0049B244), ref: 0049B038
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirstNext
                                                                                    • String ID: isRS-$isRS-???.tmp
                                                                                    • API String ID: 134685335-3422211394
                                                                                    • Opcode ID: 01ed01e22694eb91dd924d073fc98a1b72dd6591af76f1098986bfeedd91aa2b
                                                                                    • Instruction ID: 04bf727f3197cccd33fd944652b66e3324626472502a6d6b0206edec7ebcaf7d
                                                                                    • Opcode Fuzzy Hash: 01ed01e22694eb91dd924d073fc98a1b72dd6591af76f1098986bfeedd91aa2b
                                                                                    • Instruction Fuzzy Hash: 49316471901618ABDF10EF65DD41ADFBBBCDB49304F5044B7A818A32A1E7389F45CE98
                                                                                    Function 00457E24 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457EA1
                                                                                    • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457EC8
                                                                                    • SetForegroundWindow.USER32(?), ref: 00457ED9
                                                                                    • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,004581B1,?,00000000,004581ED), ref: 0045819C
                                                                                    Strings
                                                                                    • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045801C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                    • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                    • API String ID: 2236967946-3182603685
                                                                                    • Opcode ID: 3323fb953ac3bf8b93236558408b2d567769eed093c0c71ff70abb3af850d09b
                                                                                    • Instruction ID: 1e470f9c67850fe58258b166e2de1343f71499e9040d68aaec82a8138f7570a6
                                                                                    • Opcode Fuzzy Hash: 3323fb953ac3bf8b93236558408b2d567769eed093c0c71ff70abb3af850d09b
                                                                                    • Instruction Fuzzy Hash: D491FE34704604EFDB15CF55DD51F5ABBF9EB88704F2184BAE804A7792CA38AE09CB58
                                                                                    Function 00418160 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 0041819F
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
                                                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Placement$Iconic
                                                                                    • String ID: ,
                                                                                    • API String ID: 568898626-3772416878
                                                                                    • Opcode ID: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
                                                                                    • Instruction ID: 3dd2bdadd829011ee7f0b750d59610fe616def585f77d2d2d1cec2b35816d924
                                                                                    • Opcode Fuzzy Hash: 94c27d96dae92190053cdadbd09ad202be2508a7be7ad0d7a8ed44e722cc964a
                                                                                    • Instruction Fuzzy Hash: 02215172600204ABCF00EFA9CCC1EDA77A8AF49314F55456AFD18EF246CB78D844CB68
                                                                                    Function 004650D0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,0046528D), ref: 00465101
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465190
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 00465222
                                                                                    • FindClose.KERNEL32(000000FF,00465249,00465242,?,00000000,?,00000000,00465260,?,00000001,00000000,0046528D), ref: 0046523C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseErrorFirstModeNext
                                                                                    • String ID:
                                                                                    • API String ID: 4011626565-0
                                                                                    • Opcode ID: a60e63d8426f820b340701e595a9f11bed18e4cf74b5226e29a7ea12d8e0276c
                                                                                    • Instruction ID: 440dca86ff91bcf92ec396117f9ee2e7eb4a9bd4f86bd55e8ffce81b2904001c
                                                                                    • Opcode Fuzzy Hash: a60e63d8426f820b340701e595a9f11bed18e4cf74b5226e29a7ea12d8e0276c
                                                                                    • Instruction Fuzzy Hash: 6B41A230A04A589FDB10EF65DC55ADEB7B8EB89309F4044FAF404E7381E63C9E488E59
                                                                                    Function 0046554C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001,00000000,00465733), ref: 004655C1
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 00465607
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656BC
                                                                                    • FindClose.KERNEL32(000000FF,004656E7,004656E0,?,00000000,?,00000000,004656FE,?,00000001,00000000,00465733), ref: 004656DA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseErrorFirstModeNext
                                                                                    • String ID:
                                                                                    • API String ID: 4011626565-0
                                                                                    • Opcode ID: aa35f23ba55bd17a3d23baecf0ff5d9b82eb043606b0e7d9189e6227da0800ae
                                                                                    • Instruction ID: 5fa7a0e481a84f03f33422116c22c7c15fd1db6c0b7bd2f560a0f02907c35907
                                                                                    • Opcode Fuzzy Hash: aa35f23ba55bd17a3d23baecf0ff5d9b82eb043606b0e7d9189e6227da0800ae
                                                                                    • Instruction Fuzzy Hash: 82417335A00A18DFCB10EFA5CC85ADEB7B9EB88305F4044AAF804E7341E6389E44CE59
                                                                                    Function 0042EDC4 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EDE6
                                                                                    • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042EE11
                                                                                    • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE1E
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE26
                                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453717,00000000,00453738), ref: 0042EE2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                    • String ID:
                                                                                    • API String ID: 1177325624-0
                                                                                    • Opcode ID: 83b398b9c5a0c81d08d5bb7b8e0df345f0a39fac0ff61e3d3cc4a727c583d70a
                                                                                    • Instruction ID: 70587ef730fcdfb329c4590a56e67438f12b0fd4b2c9556a93668e86dd7922da
                                                                                    • Opcode Fuzzy Hash: 83b398b9c5a0c81d08d5bb7b8e0df345f0a39fac0ff61e3d3cc4a727c583d70a
                                                                                    • Instruction Fuzzy Hash: 9CF090723917203AF620B17AAC86F7F428CCB89B68F50423AF714FF1D1D9A85D0955AD
                                                                                    Function 00485CFC Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 00485D3A
                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00485D58
                                                                                    • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D7A
                                                                                    • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049F0AC,00485216,0048524A,00000000,0048526A,?,?,?,0049F0AC), ref: 00485D8E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$IconicLong
                                                                                    • String ID:
                                                                                    • API String ID: 2754861897-0
                                                                                    • Opcode ID: 5ed038d0fee307265a8cc90ebd386045eabe6c636dc290bfb2ee38ae70546125
                                                                                    • Instruction ID: 5af26d4b23032c42014cdd6a7ba96e1f526e5740e281828ed4b475e411d83285
                                                                                    • Opcode Fuzzy Hash: 5ed038d0fee307265a8cc90ebd386045eabe6c636dc290bfb2ee38ae70546125
                                                                                    • Instruction Fuzzy Hash: 60011A716056409AEB10BB7A9C4DB5A33DD5B14304F19887BBC00DF2A3CA6DDC859B6C
                                                                                    Function 00463B44 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00463C18), ref: 00463B9C
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BD8
                                                                                    • FindClose.KERNEL32(000000FF,00463BFF,00463BF8,?,00000000,?,00000000,00463C18), ref: 00463BF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 3541575487-0
                                                                                    • Opcode ID: dc4dff4d3dc270f8759446481a95d0d6573f140c5458e146c421fb3ad18a0819
                                                                                    • Instruction ID: a0cce92d96e660be0b97b7f28cec8121132c3377f259b36877ec83f4fdc062c8
                                                                                    • Opcode Fuzzy Hash: dc4dff4d3dc270f8759446481a95d0d6573f140c5458e146c421fb3ad18a0819
                                                                                    • Instruction Fuzzy Hash: 4C21D8315046886EDB11DF66CC41ADEBBACDB49705F5084FBF808E3661E638DF44CA5A
                                                                                    Function 0042466C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 00424674
                                                                                    • SetActiveWindow.USER32(?,?,?,?,0046E2FF), ref: 00424681
                                                                                      • Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7
                                                                                      • Part of subcall function 00423FA4: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021125AC,0042469A,?,?,?,?,0046E2FF), ref: 00423FDF
                                                                                    • SetFocus.USER32(00000000,?,?,?,?,0046E2FF), ref: 004246AE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveFocusIconicShow
                                                                                    • String ID:
                                                                                    • API String ID: 649377781-0
                                                                                    • Opcode ID: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
                                                                                    • Instruction ID: 41fac251e040b5459bea7d3bbf68ddb82a9bf8d4fdffabeb223ec960e46dc8d5
                                                                                    • Opcode Fuzzy Hash: 6fb5541612255947ef2c91b9d7674ffacd1557a8c948e8d6abd3677b7be11a69
                                                                                    • Instruction Fuzzy Hash: FCF0D0717001108BDB40FFAAE9C5B9632A4AF49704B55057BBC05DF35BC67CDC458768
                                                                                    Function 0042F294 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F2A1
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F2B1
                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F2D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                                    • String ID:
                                                                                    • API String ID: 3525989157-0
                                                                                    • Opcode ID: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
                                                                                    • Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
                                                                                    • Opcode Fuzzy Hash: 2c808e9d1d2103421bc27e7a9199af7a8a7f53dda2cfff6e3100d803d15f4299
                                                                                    • Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96
                                                                                    Function 0041815E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 0041819F
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 004181BD
                                                                                    • GetWindowPlacement.USER32(?,0000002C), ref: 004181F3
                                                                                    • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0041821A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Placement$Iconic
                                                                                    • String ID:
                                                                                    • API String ID: 568898626-0
                                                                                    • Opcode ID: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
                                                                                    • Instruction ID: c40958ec65a3081d6570449c7fa77bc67a6f73258cf3a653cafff2f251148837
                                                                                    • Opcode Fuzzy Hash: 93123499588309d436321f36bfa17b4aada1e27efe65d07a76ab247a868ec15b
                                                                                    • Instruction Fuzzy Hash: DE018F72240204BBDF10EE69DCC1EEB3398AB55364F15416AFD08DF242DA38EC8187A8
                                                                                    Function 00417A28 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CaptureIconic
                                                                                    • String ID:
                                                                                    • API String ID: 2277910766-0
                                                                                    • Opcode ID: e2b62a8e16e158399129b422c839338f97e6c3ad2ac0daa3b8d535a8f81942d9
                                                                                    • Instruction ID: 4baae68772761491d2023ced8ce828277fc49fe1aa00b8ecf1210e993849b5ad
                                                                                    • Opcode Fuzzy Hash: e2b62a8e16e158399129b422c839338f97e6c3ad2ac0daa3b8d535a8f81942d9
                                                                                    • Instruction Fuzzy Hash: AFF0317134460287DB20E66AC885ABF62B99F48395F14443BE515C7356EA6CDD848358
                                                                                    Function 00424624 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsIconic.USER32(?), ref: 0042462B
                                                                                      • Part of subcall function 00423F14: EnumWindows.USER32(00423EAC), ref: 00423F38
                                                                                      • Part of subcall function 00423F14: GetWindow.USER32(?,00000003), ref: 00423F4D
                                                                                      • Part of subcall function 00423F14: GetWindowLongA.USER32(?,000000EC), ref: 00423F5C
                                                                                      • Part of subcall function 00423F14: SetWindowPos.USER32(00000000,EB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,0042463B,?,?,00424203), ref: 00423F92
                                                                                    • SetActiveWindow.USER32(?,?,?,00424203,00000000,004245EC), ref: 0042463F
                                                                                      • Part of subcall function 00423ADC: ShowWindow.USER32(004108F0,00000009,?,00000000,0041F234,00423DCA,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042409C), ref: 00423AF7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                    • String ID:
                                                                                    • API String ID: 2671590913-0
                                                                                    • Opcode ID: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
                                                                                    • Instruction ID: d3e93a58e57438a951a07f29fe0797b16f8422c20572e0da7720cbe2ca5f63be
                                                                                    • Opcode Fuzzy Hash: 79a778728c02cc4edaf90c7f9b948427ca67b0e60320da5664268fec259b68fe
                                                                                    • Instruction Fuzzy Hash: B4E01A60700100C7EF00EFAAE8C4F8662A4BF88304F95017ABC48CF24BD67CDC448724
                                                                                    Function 00412A68 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C65), ref: 00412C53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
                                                                                    • Instruction ID: b726886feaa3cfb0c3c92f2e05cced8293b81fa2aba97a9fc1f2d8d784250eff
                                                                                    • Opcode Fuzzy Hash: 76210ea955b4234c29723da591833cea603cabc76a58ce7e5be2657fdfd9ecd6
                                                                                    • Instruction Fuzzy Hash: BD51F7317086058FC714DF6AD680A9AF3E5FFA8304B20866BD844C7365E7B8AD91C749
                                                                                    Function 0047AC34 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0047AD82
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: NtdllProc_Window
                                                                                    • String ID:
                                                                                    • API String ID: 4255912815-0
                                                                                    • Opcode ID: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
                                                                                    • Instruction ID: 72cb5964904ea9acb86450fde6e950c62e8bde0ebf735d0adfbf9209324b5543
                                                                                    • Opcode Fuzzy Hash: ac3a0e397c45ef836a8712edbd6479a7937f26d08489729a49ce9afc46fadd63
                                                                                    • Instruction Fuzzy Hash: C6415B75604104EFCB20CF59C2908AEB7F6EB88311B74C992E849DB751D338EE51DB96
                                                                                    Function 0044BBBC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0044BB38: GetVersionExA.KERNEL32(00000094), ref: 0044BB55
                                                                                      • Part of subcall function 0044BB8C: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044BBA4
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
                                                                                    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
                                                                                    • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
                                                                                    • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BD20
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BD32
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BD44
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BD56
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BD68
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BD7A
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BD8C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD9E
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BDB0
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BDC2
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BDD4
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BDE6
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BDF8
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BE0A
                                                                                    • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BE1C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BE2E
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BE40
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BE52
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BE64
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BE76
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BE88
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE9A
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BEAC
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BEBE
                                                                                    • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BED0
                                                                                    • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BEE2
                                                                                    • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BEF4
                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BF06
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BF18
                                                                                    • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BF2A
                                                                                    • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BF3C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BF4E
                                                                                    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BF60
                                                                                    • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BF72
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                                                    • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                    • API String ID: 2754715182-2910565190
                                                                                    • Opcode ID: d20506c30725c21e49336e4d69aea87513bc9140e5b83a808f3da96262ad40ad
                                                                                    • Instruction ID: ecd7112d65f411c7eccfc6eab1653a3c74b71e6b2ad24da097032ecd241f34bd
                                                                                    • Opcode Fuzzy Hash: d20506c30725c21e49336e4d69aea87513bc9140e5b83a808f3da96262ad40ad
                                                                                    • Instruction Fuzzy Hash: 3AA14DB0A41710EBEB40EFF6DCC6A2A37A8EB15B1475405BBB440EF295D6789C048F5E
                                                                                    Function 004952EC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000,00000000,004957E1,?,?,?,?,00000000,00000000,00000000), ref: 0049532C
                                                                                    • FindWindowA.USER32(00000000,00000000), ref: 0049535D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindSleepWindow
                                                                                    • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                    • API String ID: 3078808852-3310373309
                                                                                    • Opcode ID: 0ec3b0b08f88dd509f7bc0a6eebe8a374a5648bd0a7dafa7518e4b1fe1d42f60
                                                                                    • Instruction ID: 81b0b0a091168c97ae0ef179256dddc1b1175ea621cc4e7edfbae85d46dbfd27
                                                                                    • Opcode Fuzzy Hash: 0ec3b0b08f88dd509f7bc0a6eebe8a374a5648bd0a7dafa7518e4b1fe1d42f60
                                                                                    • Instruction Fuzzy Hash: BEC17364B04A006BDB11BA7E8C8252F5D999F98704B21D97FB406EB78BCE3CDD0A435D
                                                                                    Function 0041CE9C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0041CED0
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 0041CEDC
                                                                                    • CreateBitmap.GDI32(0041ADD4,?,00000001,00000001,00000000), ref: 0041CF00
                                                                                    • CreateCompatibleBitmap.GDI32(?,0041ADD4,?), ref: 0041CF10
                                                                                    • SelectObject.GDI32(0041D2CC,00000000), ref: 0041CF2B
                                                                                    • FillRect.USER32(0041D2CC,?,?), ref: 0041CF66
                                                                                    • SetTextColor.GDI32(0041D2CC,00000000), ref: 0041CF7B
                                                                                    • SetBkColor.GDI32(0041D2CC,00000000), ref: 0041CF92
                                                                                    • PatBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00FF0062), ref: 0041CFA8
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 0041CFBB
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041CFEC
                                                                                    • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041D004
                                                                                    • RealizePalette.GDI32(00000000), ref: 0041D00D
                                                                                    • SelectPalette.GDI32(0041D2CC,00000000,00000001), ref: 0041D01C
                                                                                    • RealizePalette.GDI32(0041D2CC), ref: 0041D025
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041D03E
                                                                                    • SetBkColor.GDI32(00000000,00000000), ref: 0041D055
                                                                                    • BitBlt.GDI32(0041D2CC,00000000,00000000,0041ADD4,?,00000000,00000000,00000000,00CC0020), ref: 0041D071
                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041D07E
                                                                                    • DeleteDC.GDI32(00000000), ref: 0041D094
                                                                                      • Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                    • String ID:
                                                                                    • API String ID: 269503290-0
                                                                                    • Opcode ID: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
                                                                                    • Instruction ID: 50a53eb504fbb6e8939598bee840ef50963709612b5229ad76d17b3bfbc4c74e
                                                                                    • Opcode Fuzzy Hash: 6fe929e3afe2a13338af335e0b683deee4c25105ce56022b6ded3cf3a3571e5b
                                                                                    • Instruction Fuzzy Hash: 8061DD71E44605AFDF10EBA9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69
                                                                                    Function 0049B254 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000,0049B9AD,?,00000000), ref: 0049B2D7
                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000,?,0049B9A3,00000000), ref: 0049B2EA
                                                                                    • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000,00000000), ref: 0049B2FA
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049B31B
                                                                                    • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049B5EC,?,?,00000000,?,00000000), ref: 0049B32B
                                                                                      • Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                    • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                    • API String ID: 2000705611-3672972446
                                                                                    • Opcode ID: cdf97e56e7b72034de1c5ae6f5038919ab3f97fb756919f1f93cb9c496efaf03
                                                                                    • Instruction ID: b2f29c3ed6207bb9e160049bb2bddfcad5bd5dcd32a025f4107ba54bac6b8e5f
                                                                                    • Opcode Fuzzy Hash: cdf97e56e7b72034de1c5ae6f5038919ab3f97fb756919f1f93cb9c496efaf03
                                                                                    • Instruction Fuzzy Hash: E691D430A04204AFDF11EBA5E952BAE7FB5EB49308F514477F900A7292C77CAC05DB99
                                                                                    Function 0045AF68 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,0045B224,?,?,?,?,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045B0D6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                    • API String ID: 1452528299-3112430753
                                                                                    • Opcode ID: 06c3d0bbf8cfd590e7bab50836b6153c06eecf1344409ead232a9f9ce4c9176f
                                                                                    • Instruction ID: 2fb3476e9d017ff0a5902371132bc4733b6d883e7af691887050c1a5ddfae389
                                                                                    • Opcode Fuzzy Hash: 06c3d0bbf8cfd590e7bab50836b6153c06eecf1344409ead232a9f9ce4c9176f
                                                                                    • Instruction Fuzzy Hash: 8E71A0307002486BCB01EB6998867AF7BA5EF48705F50846BFC11DB383DB7C9A49879D
                                                                                    Function 0045D450 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32 ref: 0045D46A
                                                                                    • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D48A
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D497
                                                                                    • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D4A4
                                                                                    • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D4B2
                                                                                      • Part of subcall function 0045D358: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D3F7,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D3D1
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D56B
                                                                                    • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D6A5,?,?,00000000), ref: 0045D574
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                    • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                    • API String ID: 59345061-4263478283
                                                                                    • Opcode ID: c16549f0ad5f58b40a4ead4738e3ff6eddc5b59fa2afd4636a2bd4118bff4847
                                                                                    • Instruction ID: 783a5280d5c6dd2c4afe06b2d07c38c27ed9239d6cb54be80e3f389c0ae86338
                                                                                    • Opcode Fuzzy Hash: c16549f0ad5f58b40a4ead4738e3ff6eddc5b59fa2afd4636a2bd4118bff4847
                                                                                    • Instruction Fuzzy Hash: B75164B1D00608EFDB20DF99C841BAEB7B8EF48315F14806AF915B7381D6789945CF69
                                                                                    Function 0041B83C Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0041B853
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0041B85D
                                                                                    • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B86F
                                                                                    • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B886
                                                                                    • GetDC.USER32(00000000), ref: 0041B892
                                                                                    • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B8BF
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041B8E5
                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041B900
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B90F
                                                                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B949
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B957
                                                                                    • DeleteDC.GDI32(00000000), ref: 0041B960
                                                                                    • DeleteDC.GDI32(?), ref: 0041B969
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                    • String ID:
                                                                                    • API String ID: 644427674-0
                                                                                    • Opcode ID: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
                                                                                    • Instruction ID: 5bdd10242b191c11111876c14ee0e8e9a171a3e9253023a3b6fe339c600245b0
                                                                                    • Opcode Fuzzy Hash: 73ee91a3acc86688725df9706b2ea354b5f5707f63fbf8f57308390f59fb2a3c
                                                                                    • Instruction Fuzzy Hash: F841AC71E40659ABDF10EAE9D846FAFB7BCEB08704F104466F614FB281C77869408BA4
                                                                                    Function 00455070 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,?,00000000,?,00000000,00455309,?,0045B3FA,00000003,00000000,00000000,00455340), ref: 00455189
                                                                                      • Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77
                                                                                    • RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045520D
                                                                                    • RegQueryValueExA.ADVAPI32(0045B3FA,00000000,00000000,00000000,?,00000004,00000000,00455253,?,0045B3FA,00000000,00000000,?,00000000,?,00000000), ref: 0045523C
                                                                                    Strings
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550E0
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004550A7
                                                                                    • RegOpenKeyEx, xrefs: 0045510C
                                                                                    • , xrefs: 004550FA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue$FormatMessageOpen
                                                                                    • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                    • API String ID: 2812809588-1577016196
                                                                                    • Opcode ID: 6df625b7e52a4512240137af4b2144532ab67cd662756d392dc03fc0958db8dc
                                                                                    • Instruction ID: a1e8c034b49f6a69a24190b621a186803033118ea706e5513908ccb254d87fbd
                                                                                    • Opcode Fuzzy Hash: 6df625b7e52a4512240137af4b2144532ab67cd662756d392dc03fc0958db8dc
                                                                                    • Instruction Fuzzy Hash: 30914071D00608ABDB00DBE5D952BEEB7F8EB49305F50406BF904F7282D6789E098B69
                                                                                    Function 00459CE8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00459BF4: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459D8F
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459DF9
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459E60
                                                                                    Strings
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459DAC
                                                                                    • .NET Framework version %s not found, xrefs: 00459E99
                                                                                    • .NET Framework not found, xrefs: 00459EAD
                                                                                    • v2.0.50727, xrefs: 00459DEB
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459E13
                                                                                    • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459D42
                                                                                    • v4.0.30319, xrefs: 00459D81
                                                                                    • v1.1.4322, xrefs: 00459E52
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$Open
                                                                                    • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                    • API String ID: 2976201327-446240816
                                                                                    • Opcode ID: 571fcd6c2bbbd5bdd504cb78bb8ba544710cb3a13efd5566d6a0f750a38c5856
                                                                                    • Instruction ID: 28c73818cd0e0a48a6ea9a4a771bbd3fec88f932accac903083750955a5b2269
                                                                                    • Opcode Fuzzy Hash: 571fcd6c2bbbd5bdd504cb78bb8ba544710cb3a13efd5566d6a0f750a38c5856
                                                                                    • Instruction Fuzzy Hash: 6A51C135A041059BCB00DF65D8A2BEE77BADB49305F5444BBA901D7383EB39AE0EC758
                                                                                    Function 004592D4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CloseHandle.KERNEL32(?), ref: 0045930B
                                                                                    • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459327
                                                                                    • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00459335
                                                                                    • GetExitCodeProcess.KERNEL32(?), ref: 00459346
                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045938D
                                                                                    • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004593A9
                                                                                    Strings
                                                                                    • Helper process exited., xrefs: 00459355
                                                                                    • Stopping 64-bit helper process. (PID: %u), xrefs: 004592FD
                                                                                    • Helper process exited, but failed to get exit code., xrefs: 0045937F
                                                                                    • Helper process exited with failure code: 0x%x, xrefs: 00459373
                                                                                    • Helper isn't responding; killing it., xrefs: 00459317
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                    • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                    • API String ID: 3355656108-1243109208
                                                                                    • Opcode ID: 941731b9cdee66e93fa5785f74061fde03e4c36eff66e4c850800c3218b73104
                                                                                    • Instruction ID: e85fc657e119397c97ed97e1faf084f02df15e80d39cea5897c552b80fc28b15
                                                                                    • Opcode Fuzzy Hash: 941731b9cdee66e93fa5785f74061fde03e4c36eff66e4c850800c3218b73104
                                                                                    • Instruction Fuzzy Hash: 1C212A70604740DBC720E779C88575B77D49F48305F04892EBC9ADB292EA78EC489B6A
                                                                                    Function 00454D24 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E274: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E2A0
                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454E4B
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454EFB,?,00000000,00454FBF), ref: 00454F87
                                                                                      • Part of subcall function 0042ED58: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453A6B,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED77
                                                                                    Strings
                                                                                    • , xrefs: 00454DAD
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D63
                                                                                    • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454D93
                                                                                    • RegCreateKeyEx, xrefs: 00454DBF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFormatMessageQueryValue
                                                                                    • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                    • API String ID: 2481121983-1280779767
                                                                                    • Opcode ID: b35eece11a48b00f4ea8293e579fd0a194e030ab02b82aaa36028cc4acf21adf
                                                                                    • Instruction ID: c7e759269ab329005b5c2b3a4910326777c7a2f104b103968227fab848b04cb9
                                                                                    • Opcode Fuzzy Hash: b35eece11a48b00f4ea8293e579fd0a194e030ab02b82aaa36028cc4acf21adf
                                                                                    • Instruction Fuzzy Hash: FB81FE71A00209AFDB10DF95C952BEEB7B8FB48305F50452AF900FB282D7789E45CB69
                                                                                    Function 00499ABC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004540B8: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
                                                                                      • Part of subcall function 004540B8: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7
                                                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00499B39
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00499C8D), ref: 00499B5A
                                                                                    • CreateWindowExA.USER32(00000000,STATIC,00499C9C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00499B81
                                                                                    • SetWindowLongA.USER32(?,000000FC,00499314), ref: 00499B94
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC,00499C9C), ref: 00499BC4
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00499C38
                                                                                    • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000), ref: 00499C44
                                                                                      • Part of subcall function 0045452C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613
                                                                                    • DestroyWindow.USER32(?,00499C67,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00499C60,?,?,000000FC,00499314,00000000,STATIC), ref: 00499C5A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                    • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                    • API String ID: 1549857992-2312673372
                                                                                    • Opcode ID: 0f0de4940a8f02b476216aea2372db7887808d18770670f627c3c97bacfe396b
                                                                                    • Instruction ID: eb5cd57210df4e96fe4a968102c50da815bdab5ab87cf2bc8b3503f8df2cfa0e
                                                                                    • Opcode Fuzzy Hash: 0f0de4940a8f02b476216aea2372db7887808d18770670f627c3c97bacfe396b
                                                                                    • Instruction Fuzzy Hash: 36414170A00208AFDF00EBA9DD42F9E7BF8EB09704F11457AF510F7291D6799E008B68
                                                                                    Function 0042F654 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 0042F660
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F674
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F681
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F68E
                                                                                    • GetWindowRect.USER32(?,00000000), ref: 0042F6DA
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F718
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                    • API String ID: 2610873146-3407710046
                                                                                    • Opcode ID: b5ea353968f10d2957ac65908b1706e59bf7b95ff1b6bec8b3b926cf677c6a30
                                                                                    • Instruction ID: 4fddece845ce4b02eeba35f690bf3974305695bca327a465bc6d277b32236c01
                                                                                    • Opcode Fuzzy Hash: b5ea353968f10d2957ac65908b1706e59bf7b95ff1b6bec8b3b926cf677c6a30
                                                                                    • Instruction Fuzzy Hash: F721C2B67006146BD300EA78EC85F3B77A9DBD4710F98463AF944DB382DA78EC084B59
                                                                                    Function 00463DE4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetActiveWindow.USER32 ref: 00463DF0
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 00463E04
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463E11
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00463E1E
                                                                                    • GetWindowRect.USER32(?,00000000), ref: 00463E6A
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00463EA8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                    • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                    • API String ID: 2610873146-3407710046
                                                                                    • Opcode ID: e8f2c22fe2ec1b1afbefd0d3a89e857d6b2e4ce6ce91716186340629c7432721
                                                                                    • Instruction ID: 5546c7ca55dac75a37d5be63b5862a2b7bf7fa91672d6aed0c393ab4f47302e1
                                                                                    • Opcode Fuzzy Hash: e8f2c22fe2ec1b1afbefd0d3a89e857d6b2e4ce6ce91716186340629c7432721
                                                                                    • Instruction Fuzzy Hash: 5821B0B67006146BD300AB68CC41F3B76D9DB84B01F08452EF944DB382EA79ED018B6A
                                                                                    Function 004594AC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045968B,?,00000000,004596EE,?,?,00000000,00000000), ref: 00459509
                                                                                    • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459566
                                                                                    • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00459620,?,00000000,00000001,00000000,00000000,00000000,0045968B), ref: 00459573
                                                                                    • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004595BF
                                                                                    • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00459620,?,00000000), ref: 004595E5
                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000001,004595F9,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,00459620,?,00000000), ref: 004595EC
                                                                                      • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                    • String ID: CreateEvent$TransactNamedPipe
                                                                                    • API String ID: 2182916169-3012584893
                                                                                    • Opcode ID: e0384cc18de44449eaea6936526ac9f00e76523199ed72a6bafa83ecc74f478a
                                                                                    • Instruction ID: 5e3c9d9fc8331b786f0ce76ad2fce8520c17318b204ac54c9f287bbe44ec3061
                                                                                    • Opcode Fuzzy Hash: e0384cc18de44449eaea6936526ac9f00e76523199ed72a6bafa83ecc74f478a
                                                                                    • Instruction Fuzzy Hash: 8B418D71A00608FFDB05DFA5C981F9EB7F9EB48714F1140A6F900E7692D6789E54CB28
                                                                                    Function 00457550 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,004576B5,?,?,00000031,?), ref: 00457578
                                                                                    • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 0045757E
                                                                                    • LoadTypeLib.OLEAUT32(00000000,?), ref: 004575CB
                                                                                      • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                    • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                    • API String ID: 1914119943-2711329623
                                                                                    • Opcode ID: 8338d3ef0ecaea7eb820dcd9b636b211f45bc6c31183a3406f40cb6df78e1c00
                                                                                    • Instruction ID: 6576a6400b1684fe66b120d0c5268abc33dc5c30e9c8dd9853542a513f4dec10
                                                                                    • Opcode Fuzzy Hash: 8338d3ef0ecaea7eb820dcd9b636b211f45bc6c31183a3406f40cb6df78e1c00
                                                                                    • Instruction Fuzzy Hash: 2931B471604A04AFC711EFAADC41E5B77ADEB8C7157108476F804D3652DA38D904C728
                                                                                    Function 0042E8A8 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E8D1
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E8D7
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E9AD,?,00000000,00480920,00000000), ref: 0042E925
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressCloseHandleModuleProc
                                                                                    • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                    • API String ID: 4190037839-2401316094
                                                                                    • Opcode ID: cb3cb7436b60a16202e613c6190e361201fdf8810f5f2b3d0b65f5baec46b13d
                                                                                    • Instruction ID: cdd838938204d4cbb06352ad172040986bb4042bf6ca521554dfda5889237b72
                                                                                    • Opcode Fuzzy Hash: cb3cb7436b60a16202e613c6190e361201fdf8810f5f2b3d0b65f5baec46b13d
                                                                                    • Instruction Fuzzy Hash: 7F212170B00229AFDB50EBA7DC46BAE77A9EB04304F904477A500E7291DB7C9E45DB1C
                                                                                    Function 00417210 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RectVisible.GDI32(?,?), ref: 004172A3
                                                                                    • SaveDC.GDI32(?), ref: 004172B7
                                                                                    • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 004172DA
                                                                                    • RestoreDC.GDI32(?,?), ref: 004172F5
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00417375
                                                                                    • FrameRect.USER32(?,?,?), ref: 004173A8
                                                                                    • DeleteObject.GDI32(?), ref: 004173B2
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 004173C2
                                                                                    • FrameRect.USER32(?,?,?), ref: 004173F5
                                                                                    • DeleteObject.GDI32(?), ref: 004173FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                    • String ID:
                                                                                    • API String ID: 375863564-0
                                                                                    • Opcode ID: 7bfe991a36dcdb6d07b2c5d263508ec22064ddef5b3951d7b605cb29af9b978a
                                                                                    • Instruction ID: c95a734d2d00aea9c177a3b06cfd5000d642d04c6817e823e80f404ee62f0a93
                                                                                    • Opcode Fuzzy Hash: 7bfe991a36dcdb6d07b2c5d263508ec22064ddef5b3951d7b605cb29af9b978a
                                                                                    • Instruction Fuzzy Hash: 8B513A716086445FDB51EF69C8C0B9B77E8AF48314F1445AAFD488B287C738EC82CB99
                                                                                    Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                    • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                    • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                    • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                    • String ID:
                                                                                    • API String ID: 1694776339-0
                                                                                    • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                    • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                    • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                    • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                    Function 00422678 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemMenu.USER32(00000000,00000000), ref: 004226C3
                                                                                    • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226E1
                                                                                    • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226EE
                                                                                    • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226FB
                                                                                    • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422708
                                                                                    • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422715
                                                                                    • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422722
                                                                                    • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042272F
                                                                                    • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042274D
                                                                                    • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422769
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Delete$EnableItem$System
                                                                                    • String ID:
                                                                                    • API String ID: 3985193851-0
                                                                                    • Opcode ID: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
                                                                                    • Instruction ID: 3d3520f8b7ec6d74ae20e05d6755b86abcf69838e80cbfb0a1e170c33371412b
                                                                                    • Opcode Fuzzy Hash: b633a805c3dfefc2d241534ae929bcf98399df6f62762c46efeb8f5b5c6a909e
                                                                                    • Instruction Fuzzy Hash: 4F2124703447047AE720E725DD8BFAB7AD89B04B08F044065B6447F2D3C6F8EA40869C
                                                                                    Function 00462974 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SHGetMalloc.SHELL32(?), ref: 004629AF
                                                                                    • GetActiveWindow.USER32 ref: 00462A13
                                                                                    • CoInitialize.OLE32(00000000), ref: 00462A27
                                                                                    • SHBrowseForFolder.SHELL32(?), ref: 00462A3E
                                                                                    • CoUninitialize.OLE32(00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A53
                                                                                    • SetActiveWindow.USER32(?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A69
                                                                                    • SetActiveWindow.USER32(?,?,00462A7F,00000000,?,?,?,?,?,00000000,00462B03), ref: 00462A72
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                    • String ID: A
                                                                                    • API String ID: 2684663990-3554254475
                                                                                    • Opcode ID: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
                                                                                    • Instruction ID: 226cd12c2bf5eadadc06a8ace2d3cfe2a2dab59726cbcd1c1d639dda9b16e66d
                                                                                    • Opcode Fuzzy Hash: 14be21f0889e27b63cff27c6b7920ac038a1d1e6a07f323e9ad5f5bcee8464c4
                                                                                    • Instruction Fuzzy Hash: 2A3130B0E00208AFCB10EFB6D945A9EBBF8EB09304F51447AF414F7251E7789A04CB69
                                                                                    Function 004190E4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemMetrics.USER32(0000000E), ref: 00419100
                                                                                    • GetSystemMetrics.USER32(0000000D), ref: 00419108
                                                                                    • 6FD82980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041910E
                                                                                      • Part of subcall function 00410C88: 6FD7C400.COMCTL32(,I,000000FF,00000000,0041913C,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00410C8C
                                                                                    • 6FDECB00.COMCTL32(,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 0041915E
                                                                                    • 6FDEC740.COMCTL32(00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419169
                                                                                    • 6FDECB00.COMCTL32(,I,00000001,?,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000), ref: 0041917C
                                                                                    • 6FD80860.COMCTL32(,I,0041919F,?,00000000,?,,I,00000000,00000000,00000000,00000000,00419198,?,00000000,0000000D,00000000,0000000E), ref: 00419192
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MetricsSystem$C400C740D80860D82980
                                                                                    • String ID: ,I
                                                                                    • API String ID: 2924641870-3697734810
                                                                                    • Opcode ID: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
                                                                                    • Instruction ID: 6bf9c1d71f03a7720a29bcea3f2ffb204bbf738efc2d09f76f7aaa5da4135df4
                                                                                    • Opcode Fuzzy Hash: 99d237f4e6602aa4adb10bbba9f27b4049ed62bd4d0bb7e82590963255ca77bb
                                                                                    • Instruction Fuzzy Hash: D0116675744304BBEB14EBA5DC83F9E73A8EB04B04F50456AF604E72D1E6B99D808B58
                                                                                    Function 0045DB44 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DB4D
                                                                                    • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DB5D
                                                                                    • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DB6D
                                                                                    • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DB7D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                    • API String ID: 190572456-3516654456
                                                                                    • Opcode ID: 4b5e01856a24b2cb288729c3d0fdc563aa5ebd2102de443a524bd77ba4052863
                                                                                    • Instruction ID: 6393fdd59b419d4e4f2c5b3e50f991f6d57498fd626e4870853c8bb2a7f4f2ae
                                                                                    • Opcode Fuzzy Hash: 4b5e01856a24b2cb288729c3d0fdc563aa5ebd2102de443a524bd77ba4052863
                                                                                    • Instruction Fuzzy Hash: 1101FFB0D00600DBE724EF369C4672636EAAFA4706F15C43BAD49D66A3E778548CCE1C
                                                                                    Function 0041AD6C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041AE49
                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE83
                                                                                    • SetBkColor.GDI32(?,?), ref: 0041AE98
                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEE2
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041AEED
                                                                                    • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEFD
                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AF3C
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0041AF46
                                                                                    • SetBkColor.GDI32(00000000,?), ref: 0041AF53
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$StretchText
                                                                                    • String ID:
                                                                                    • API String ID: 2984075790-0
                                                                                    • Opcode ID: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
                                                                                    • Instruction ID: cd8b06f21d39e7e3a7e3fb9164a1477e2cec4af8eaf2e363a2f859aea8ea57af
                                                                                    • Opcode Fuzzy Hash: c0d5bcb4e3e136d56fdad79d14bcb2504c33fc8a74749fbb00da5e049b323106
                                                                                    • Instruction Fuzzy Hash: 5B61B4B5A00515EFCB40EFADD985E9AB7F9EF08314B1481AAF518DB251C734ED408BA8
                                                                                    Function 0044D7E4 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OffsetRect.USER32(?,00000001,00000001), ref: 0044D815
                                                                                    • GetSysColor.USER32(00000014), ref: 0044D81C
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0044D834
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D85D
                                                                                    • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D867
                                                                                    • GetSysColor.USER32(00000010), ref: 0044D86E
                                                                                    • SetTextColor.GDI32(00000000,00000000), ref: 0044D886
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8AF
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D8DA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Text$Color$Draw$OffsetRect
                                                                                    • String ID:
                                                                                    • API String ID: 1005981011-0
                                                                                    • Opcode ID: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
                                                                                    • Instruction ID: 7afddb25c4ac74ad42c6f663f4adf30dc2f4b2673d3e6822d8b2a46fb9ac5c49
                                                                                    • Opcode Fuzzy Hash: 70c625a45f7822c9c0c8d15dcd55c3925e6146c24073cdeca57399263d9d2978
                                                                                    • Instruction Fuzzy Hash: AB21AFB46015047FD700FB2ACD8AE9B7BECDF19319B00457A7914EB393C678DE408669
                                                                                    Function 00499360 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00451104: SetEndOfFile.KERNEL32(?,?,0045CBD2,00000000,0045CD5D,?,00000000,00000002,00000002), ref: 0045110B
                                                                                      • Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB
                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 004993F1
                                                                                    • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00499405
                                                                                    • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 0049941F
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 0049942B
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499431
                                                                                    • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00499444
                                                                                    Strings
                                                                                    • Deleting Uninstall data files., xrefs: 00499367
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                    • String ID: Deleting Uninstall data files.
                                                                                    • API String ID: 1570157960-2568741658
                                                                                    • Opcode ID: 128fd7a12de6017b12c54a9edea572ad7cc6d2050bc24327d37c1bfe2677860b
                                                                                    • Instruction ID: b7a2e365abb4ca1ce7a24153babf5e0292396e8760e8134f6a37584f4bf7a1e8
                                                                                    • Opcode Fuzzy Hash: 128fd7a12de6017b12c54a9edea572ad7cc6d2050bc24327d37c1bfe2677860b
                                                                                    • Instruction Fuzzy Hash: 8F214470708200AFEB21EF7AEC86B163798DB58759F11453FB901DA1E3D6789C05DA1D
                                                                                    Function 00471A60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D,?,?,?,?,00000000), ref: 00471AC7
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471B5D), ref: 00471ADE
                                                                                    • AddFontResourceA.GDI32(00000000), ref: 00471AFB
                                                                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471B0F
                                                                                    Strings
                                                                                    • AddFontResource, xrefs: 00471B19
                                                                                    • Failed to set value in Fonts registry key., xrefs: 00471AD0
                                                                                    • Failed to open Fonts registry key., xrefs: 00471AE5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                    • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                    • API String ID: 955540645-649663873
                                                                                    • Opcode ID: 0c8979d814fad5371fa1e00ae800c1a48e6ddb74b3b9bcc8e52eeafb267e890b
                                                                                    • Instruction ID: e418864d87a496604354a2259d3816e8ecf3f11e764263395734e4855b1f90ef
                                                                                    • Opcode Fuzzy Hash: 0c8979d814fad5371fa1e00ae800c1a48e6ddb74b3b9bcc8e52eeafb267e890b
                                                                                    • Instruction Fuzzy Hash: 5B2181707402047BDB10EA6A9C42F9A679CDB45704F60C077B904EB3D2EA7CED05966D
                                                                                    Function 00464224 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 004168A0: GetClassInfoA.USER32(00400000,?,?), ref: 0041690F
                                                                                      • Part of subcall function 004168A0: UnregisterClassA.USER32(?,00400000), ref: 0041693B
                                                                                      • Part of subcall function 004168A0: RegisterClassA.USER32(?), ref: 0041695E
                                                                                    • GetVersion.KERNEL32 ref: 00464254
                                                                                    • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00464292
                                                                                    • SHGetFileInfo.SHELL32(00464330,00000000,?,00000160,00004011), ref: 004642AF
                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 004642CD
                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00464330,00000000,?,00000160,00004011), ref: 004642D3
                                                                                    • SetCursor.USER32(?,00464313,00007F02,00464330,00000000,?,00000160,00004011), ref: 00464306
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                    • String ID: Explorer
                                                                                    • API String ID: 2594429197-512347832
                                                                                    • Opcode ID: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
                                                                                    • Instruction ID: b3b98aa5a53488e53f8304eecf0dc9993ee5463f80e55bafd62bb8cbb11790a6
                                                                                    • Opcode Fuzzy Hash: e4246b70e64443b15e1828aa2d441563241c4fbc43c60fe3ab0de6d9b0488d6c
                                                                                    • Instruction Fuzzy Hash: 4321BB307403046AFF11BBB65C47B9A76989B45708F5040BBBA05EB2C3D9BD5851866D
                                                                                    Function 0047A4E4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02117A00,?,?,?,02117A00,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A4FD
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047A503
                                                                                    • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A00,?,?,?,02117A00,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A516
                                                                                    • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02117A00,?,?,?,02117A00), ref: 0047A540
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,02117A00,0047A6A8,00000000,0047A7C6,?,?,?,?), ref: 0047A55E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                    • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                    • API String ID: 2704155762-2318956294
                                                                                    • Opcode ID: 082cb103ca6f95a7beae000f8f5c9209c3eb63ab3cc63e031f07a8293c6645fc
                                                                                    • Instruction ID: 4c547af52153d5fc494c8abbb987ccd3797ba2b79672919e7250df90ec71fc91
                                                                                    • Opcode Fuzzy Hash: 082cb103ca6f95a7beae000f8f5c9209c3eb63ab3cc63e031f07a8293c6645fc
                                                                                    • Instruction Fuzzy Hash: 54019291B4070476E520717A4C86BBF264C8BD4769F248137BB1CFE2D2E9AD992601AF
                                                                                    Function 0045A69C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,0045A81E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049A6E1,?,00000000,0049A784), ref: 0045A762
                                                                                      • Part of subcall function 00454BF0: FindClose.KERNEL32(000000FF,00454CE6), ref: 00454CD5
                                                                                    Strings
                                                                                    • Deleting directory: %s, xrefs: 0045A6EB
                                                                                    • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A73C
                                                                                    • Failed to delete directory (%d)., xrefs: 0045A7F8
                                                                                    • Failed to delete directory (%d). Will retry later., xrefs: 0045A77B
                                                                                    • Stripped read-only attribute., xrefs: 0045A724
                                                                                    • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A7D7
                                                                                    • Failed to strip read-only attribute., xrefs: 0045A730
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseErrorFindLast
                                                                                    • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                    • API String ID: 754982922-1448842058
                                                                                    • Opcode ID: 5346217df39339977b51ae0a3ca3b2b9cdfea47d40e409fafac5e4da8c828573
                                                                                    • Instruction ID: ed451348c7d3678a4819a833a09a40bf82a586c96773c367329f7393d5e0e002
                                                                                    • Opcode Fuzzy Hash: 5346217df39339977b51ae0a3ca3b2b9cdfea47d40e409fafac5e4da8c828573
                                                                                    • Instruction Fuzzy Hash: 9441A734A101189BCB00EB6988417AE76A59F89306F55867FAC01E7383DB7CCA1D875F
                                                                                    Function 004232E0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCapture.USER32 ref: 00423334
                                                                                    • GetCapture.USER32 ref: 00423343
                                                                                    • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00423349
                                                                                    • ReleaseCapture.USER32 ref: 0042334E
                                                                                    • GetActiveWindow.USER32 ref: 0042335D
                                                                                    • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004233DC
                                                                                    • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00423440
                                                                                    • GetActiveWindow.USER32 ref: 0042344F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                    • String ID:
                                                                                    • API String ID: 862346643-0
                                                                                    • Opcode ID: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
                                                                                    • Instruction ID: 18bdd7e577e3521af934e8bbd68e58ee55e38e107d312ae6febd14bbc8fb8244
                                                                                    • Opcode Fuzzy Hash: f69812db9b2b79ec794c9b8766cda1920263d90c5a2084de5f9108f08cb6d884
                                                                                    • Instruction Fuzzy Hash: 07414D30B00254AFDB10EF6AD982B9E77F1AF04704F5440BAE440AB2A2DB7D9F40CB58
                                                                                    Function 00429910 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0042991A
                                                                                    • GetTextMetricsA.GDI32(00000000), ref: 00429923
                                                                                      • Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00429932
                                                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 0042993F
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00429946
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0042994E
                                                                                    • GetSystemMetrics.USER32(00000006), ref: 00429973
                                                                                    • GetSystemMetrics.USER32(00000006), ref: 0042998D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                    • String ID:
                                                                                    • API String ID: 1583807278-0
                                                                                    • Opcode ID: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
                                                                                    • Instruction ID: 064b8ceea34646deb673d9898a5f132a00f345b4bbd4d539d92df2c89931976d
                                                                                    • Opcode Fuzzy Hash: fcd26ccfdf6108e84c8416210a92b931db41bfea8d69a3a7f30610f4478b51e7
                                                                                    • Instruction Fuzzy Hash: 1801C4D17047112BF710B2B69CC2F6B5588DB84368F44053FFA869A3D3E97D9C80866E
                                                                                    Function 0041E2B4 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0041E2B7
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041E2C1
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041E2CE
                                                                                    • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041E2DD
                                                                                    • GetStockObject.GDI32(00000007), ref: 0041E2EB
                                                                                    • GetStockObject.GDI32(00000005), ref: 0041E2F7
                                                                                    • GetStockObject.GDI32(0000000D), ref: 0041E303
                                                                                    • LoadIconA.USER32(00000000,00007F00), ref: 0041E314
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                    • String ID:
                                                                                    • API String ID: 225703358-0
                                                                                    • Opcode ID: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
                                                                                    • Instruction ID: eda06bb9e73b08d19024368069479301758e63dc44a0e31fec7fdbc279e4b1ec
                                                                                    • Opcode Fuzzy Hash: 23cce13aa5fe555fb55eaf4af2e89c8eae1af8f60db2075199e19e80c48d8f58
                                                                                    • Instruction Fuzzy Hash: 8C112B70645301AAE740FF765996BAA3690D724708F40943BF604EF3D2DB7E5C418B6E
                                                                                    Function 00464634 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 00464738
                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,004647CD), ref: 0046473E
                                                                                    • SetCursor.USER32(?,004647B5,00007F02,00000000,004647CD), ref: 004647A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$Load
                                                                                    • String ID: $ $Internal error: Item already expanding
                                                                                    • API String ID: 1675784387-1948079669
                                                                                    • Opcode ID: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
                                                                                    • Instruction ID: 9cbbcba472df96bd09ce797c5f765fac8c2f652b56477a68fde2327aac6a5f51
                                                                                    • Opcode Fuzzy Hash: f0d8b3a22494a668e36ff372e63dbf03653d2e1c551dd02a847e0882ae5da109
                                                                                    • Instruction Fuzzy Hash: 8CB1C174600604DFDB20DF65C585B9BBBF0AF85308F1580ABE8459B792E778ED44CB1A
                                                                                    Function 0045452C Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00454613
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfileStringWrite
                                                                                    • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                    • API String ID: 390214022-3304407042
                                                                                    • Opcode ID: fc2f0a429556627ddf5cabc681d984d0c75af6d26db071d07ca7a7ecd82d7856
                                                                                    • Instruction ID: c5648654d35dc4fa5992192bdfac3c74e0b4d15883e79a195514524b6fb94f40
                                                                                    • Opcode Fuzzy Hash: fc2f0a429556627ddf5cabc681d984d0c75af6d26db071d07ca7a7ecd82d7856
                                                                                    • Instruction Fuzzy Hash: D1912334A001099BDB01EFA5D841BDEB7F5EF89309F508467E900BB692D778AE49CB58
                                                                                    Function 00478DC4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00478E1D
                                                                                    • SetWindowLongW.USER32(00000000,000000FC,00478D78), ref: 00478E44
                                                                                    • GetACP.KERNEL32(00000000,0047905C,?,00000000,00479086), ref: 00478E81
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00478EC7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassInfoLongMessageSendWindow
                                                                                    • String ID: COMBOBOX$Inno Setup: Language
                                                                                    • API String ID: 3391662889-4234151509
                                                                                    • Opcode ID: 64aed83d7cd5fc135e30750f8cb7816a0e0a0640c1f8587c76686a23d2846c44
                                                                                    • Instruction ID: 9a1e1fbd3c649eeeadcf20bc1b1a007eb45d24132bb8eba9a2a930841c17950d
                                                                                    • Opcode Fuzzy Hash: 64aed83d7cd5fc135e30750f8cb7816a0e0a0640c1f8587c76686a23d2846c44
                                                                                    • Instruction Fuzzy Hash: 64814E34A40605DFC710DF69C889AAAB7F5FB49304F1081BAE808DB762DB78AD45CB59
                                                                                    Function 00408BB0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDefaultLCID.KERNEL32(00000000,00408DF8,?,?,?,?,00000000,00000000,00000000,?,00409DFF,00000000,00409E12), ref: 00408BCA
                                                                                      • Part of subcall function 004089F8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049E4C4,00000001,?,00408AC3,?,00000000,00408BA2), ref: 00408A16
                                                                                      • Part of subcall function 00408A44: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C46,?,?,?,00000000,00408DF8), ref: 00408A57
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoLocale$DefaultSystem
                                                                                    • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                    • API String ID: 1044490935-665933166
                                                                                    • Opcode ID: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
                                                                                    • Instruction ID: 6e389ecbf5aa42e5faf75f2f0cdd2dfe5a993f3520af0ea01b43abf2a46df86b
                                                                                    • Opcode Fuzzy Hash: 9a7eb394a66080edfd24f68117555f400a3e3cdfc1c474aefde3fc5f2e1ccb78
                                                                                    • Instruction Fuzzy Hash: 20514E34B00148ABDB01EBAAC94169E676ADB98308F50947FB091BB7C7CE3CDA05975D
                                                                                    Function 00411B84 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetVersion.KERNEL32(00000000,00411D89), ref: 00411C1C
                                                                                    • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411CDA
                                                                                      • Part of subcall function 00411F3C: CreatePopupMenu.USER32 ref: 00411F56
                                                                                    • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D66
                                                                                      • Part of subcall function 00411F3C: CreateMenu.USER32 ref: 00411F60
                                                                                    • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D4D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                    • String ID: ,$?
                                                                                    • API String ID: 2359071979-2308483597
                                                                                    • Opcode ID: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
                                                                                    • Instruction ID: 3fb5e0cd3bdc3201fae72ff24864c2251e092a1c83a82613ff871d7f09dca240
                                                                                    • Opcode Fuzzy Hash: 2e8e8ea7aa81c0bb070b735559dd4681aa84df17034fe18f9a62e23080711f87
                                                                                    • Instruction Fuzzy Hash: 82510674A00145ABDB10EF7ADD816DA7BF9AB09304F21417BFA04E73A6E738D941CB58
                                                                                    Function 0041C2F3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041C3B8
                                                                                    • GetObjectA.GDI32(?,00000018,?), ref: 0041C3C7
                                                                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041C418
                                                                                    • GetBitmapBits.GDI32(?,?,?), ref: 0041C426
                                                                                    • DeleteObject.GDI32(?), ref: 0041C42F
                                                                                    • DeleteObject.GDI32(?), ref: 0041C438
                                                                                    • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041C455
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                    • String ID:
                                                                                    • API String ID: 1030595962-0
                                                                                    • Opcode ID: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
                                                                                    • Instruction ID: 503a746306143f5d70b37ccc37edd8169d972c8c437de2bc6362dd1504a2ea70
                                                                                    • Opcode Fuzzy Hash: ec19989a10235cbf9a1edf4f8eb35756c5d910f1ff26f4107efc2cfff39a000d
                                                                                    • Instruction Fuzzy Hash: 52511831E002199FCB14DFE9C8819EEB7F9EF48314B10852AF914E7391D638AD81CB64
                                                                                    Function 0041D368 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041D38E
                                                                                    • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041D3AD
                                                                                    • SelectPalette.GDI32(?,?,00000001), ref: 0041D413
                                                                                    • RealizePalette.GDI32(?), ref: 0041D422
                                                                                    • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D48C
                                                                                    • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D4CA
                                                                                    • SelectPalette.GDI32(?,?,00000001), ref: 0041D4EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                    • String ID:
                                                                                    • API String ID: 2222416421-0
                                                                                    • Opcode ID: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
                                                                                    • Instruction ID: 994e6928e375576195bbff131da20e2633e51e8889d6c5a0b4bc55991cd6db0b
                                                                                    • Opcode Fuzzy Hash: 04b102cceab6519e9c3a92a55d02afe56828cc33fe19e53c7d712d938cb733d8
                                                                                    • Instruction Fuzzy Hash: 10512FB0A00604AFD714DFA9C985F9AB7F9EF08304F148599B959D7292C778ED80CB58
                                                                                    Function 00457B6C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,?,?), ref: 00457BBE
                                                                                      • Part of subcall function 0042470C: GetWindowTextA.USER32(?,?,00000100), ref: 0042472C
                                                                                      • Part of subcall function 0041F334: GetCurrentThreadId.KERNEL32 ref: 0041F383
                                                                                      • Part of subcall function 0041F334: EnumThreadWindows.USER32(00000000,0041F2E4,00000000), ref: 0041F389
                                                                                      • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457C25
                                                                                    • TranslateMessage.USER32(?), ref: 00457C43
                                                                                    • DispatchMessageA.USER32(?), ref: 00457C4C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                    • String ID: [Paused]
                                                                                    • API String ID: 1007367021-4230553315
                                                                                    • Opcode ID: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
                                                                                    • Instruction ID: 06e1226616be40fe5bc559768a91633e97e499603686e5a952697563b4c26b81
                                                                                    • Opcode Fuzzy Hash: 243bd422c61f2622546d11c945774c602dc8f4b1793521091e356525211c3557
                                                                                    • Instruction Fuzzy Hash: 523195319082485EDB12DBB5E841BDE7BF8DB49304F908077E810E7292D63C9909CB68
                                                                                    Function 0046C9CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursor.USER32(00000000,0046CB0B), ref: 0046CA88
                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 0046CA96
                                                                                    • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CA9C
                                                                                    • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAA6
                                                                                    • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046CB0B), ref: 0046CAAC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$LoadSleep
                                                                                    • String ID: CheckPassword
                                                                                    • API String ID: 4023313301-1302249611
                                                                                    • Opcode ID: b2a2287906d40fef101f8a2b0dc9933174ad83183cf1a8d1fe0f8ce9eb81ed02
                                                                                    • Instruction ID: dc4a4552949694c44ab81909cbfa5d37629526438aba0b0bd6801612213ae34e
                                                                                    • Opcode Fuzzy Hash: b2a2287906d40fef101f8a2b0dc9933174ad83183cf1a8d1fe0f8ce9eb81ed02
                                                                                    • Instruction Fuzzy Hash: 10318234740244AFD711DB69C8CAFAA7BE4AF05304F5580B6B944AB3E2D778AE40CB49
                                                                                    Function 00479DE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00479D08: GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
                                                                                      • Part of subcall function 00479D08: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
                                                                                      • Part of subcall function 00479D08: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29
                                                                                    • SendMessageA.USER32(00000000,0000004A,00000000,0047A19A), ref: 00479E15
                                                                                    • GetTickCount.KERNEL32 ref: 00479E5A
                                                                                    • GetTickCount.KERNEL32 ref: 00479E64
                                                                                    • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00479EB9
                                                                                    Strings
                                                                                    • CallSpawnServer: Unexpected status: %d, xrefs: 00479EA2
                                                                                    • CallSpawnServer: Unexpected response: $%x, xrefs: 00479E4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                    • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                    • API String ID: 613034392-3771334282
                                                                                    • Opcode ID: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
                                                                                    • Instruction ID: d0290b535038f0b538ca996bd373034cc9ef5a4571df1c0a7e48467b85276075
                                                                                    • Opcode Fuzzy Hash: 8f3ce9092d78e5e8ffb09c4fd0b96ce6ea02ef27a8c3c931be51606f83c456ff
                                                                                    • Instruction Fuzzy Hash: 82319C34A102149ADB20EBB9C8867EEB7A59F44704F50843BB148EB382D67D8E41C7AD
                                                                                    Function 0045A014 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A0CF
                                                                                    Strings
                                                                                    • Failed to load .NET Framework DLL "%s", xrefs: 0045A0B4
                                                                                    • .NET Framework CreateAssemblyCache function failed, xrefs: 0045A0F2
                                                                                    • CreateAssemblyCache, xrefs: 0045A0C6
                                                                                    • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A0DA
                                                                                    • Fusion.dll, xrefs: 0045A06F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                    • API String ID: 190572456-3990135632
                                                                                    • Opcode ID: 337b46af4410caf144f01ff8b07904eb6f581d557826c87c3b515ecafa7e8ece
                                                                                    • Instruction ID: 9a321e89453ba4f36132349ca91dc91ba75a1bd21e0a38aa57df13fbbf55b943
                                                                                    • Opcode Fuzzy Hash: 337b46af4410caf144f01ff8b07904eb6f581d557826c87c3b515ecafa7e8ece
                                                                                    • Instruction Fuzzy Hash: B831A970D006059BCB11EFA5C84169EF7B5AF44715F40867BE910A7382DB3C9A188799
                                                                                    Function 0041C5D8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041C4D8: GetObjectA.GDI32(?,00000018), ref: 0041C4E5
                                                                                    • GetFocus.USER32 ref: 0041C5F8
                                                                                    • GetDC.USER32(?), ref: 0041C604
                                                                                    • SelectPalette.GDI32(?,?,00000000), ref: 0041C625
                                                                                    • RealizePalette.GDI32(?), ref: 0041C631
                                                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C648
                                                                                    • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C670
                                                                                    • ReleaseDC.USER32(?,?), ref: 0041C67D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                    • String ID:
                                                                                    • API String ID: 3303097818-0
                                                                                    • Opcode ID: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
                                                                                    • Instruction ID: 25388d08763cc31724119198cc62293da4a252d14e83de2780c9a5f0ba17a272
                                                                                    • Opcode Fuzzy Hash: 06f70be5c2937d22c7d59323c1d4f85c74eb10055d491e17f779f64a32073242
                                                                                    • Instruction Fuzzy Hash: C6116A71A40608BBDB10EBE9CC85FAFB7FCEF48700F15446AB518E7281D6789D008B68
                                                                                    Function 0048603C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,004860F4), ref: 004860D9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                    • API String ID: 47109696-2530820420
                                                                                    • Opcode ID: 12b1e7b3d3bee81665ada8f5fc66f8211179fc1c45ca13e1fc4cf6acb1f685c8
                                                                                    • Instruction ID: a713916a89d0883095a157a8cdf94fb09fad54fb56f7fa23aac7c7215c81ef38
                                                                                    • Opcode Fuzzy Hash: 12b1e7b3d3bee81665ada8f5fc66f8211179fc1c45ca13e1fc4cf6acb1f685c8
                                                                                    • Instruction Fuzzy Hash: C411BF30604248AADB82FB65CC45B9FBBA9DB12314F524977A800E7283EB3DDE45871D
                                                                                    Function 00498374 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 00498385
                                                                                      • Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004983A7
                                                                                    • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00498925), ref: 004983BB
                                                                                    • GetTextMetricsA.GDI32(00000000,?), ref: 004983DD
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004983FA
                                                                                    Strings
                                                                                    • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004983B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                    • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                    • API String ID: 2948443157-222967699
                                                                                    • Opcode ID: 4d8480be01d3b6acaef018da6cae69da0742a14c5887348846052d89439373f3
                                                                                    • Instruction ID: c67935f8e5cb56b1937036d64f6bf01096dd8c8546995d157710775fc85ec82d
                                                                                    • Opcode Fuzzy Hash: 4d8480be01d3b6acaef018da6cae69da0742a14c5887348846052d89439373f3
                                                                                    • Instruction Fuzzy Hash: 10018875604605AFEB00DFE9CC41F5FB7ECDB49704F51447AB500E7281EA78AD008B68
                                                                                    Function 0044CDDC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0044CDAC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044CDC4
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,0044CE9E,?,?,?,?,00000000,00000000), ref: 0044CE26
                                                                                    • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CE37
                                                                                    • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CE47
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                    • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                    • API String ID: 2141747552-1050967733
                                                                                    • Opcode ID: 58ac7b3aecd56597809ee3f3dfe8d4e30d6ee5abf0fa69b070ea966a9cd0b956
                                                                                    • Instruction ID: a702f4643fe6e099115479b548097bfe9a63d2924ca5d738d996a727133e4afc
                                                                                    • Opcode Fuzzy Hash: 58ac7b3aecd56597809ee3f3dfe8d4e30d6ee5abf0fa69b070ea966a9cd0b956
                                                                                    • Instruction Fuzzy Hash: 65119170602308ABF710EFA2DCC2B5A77A8E794708F64047BA00066691D7BD99448A1D
                                                                                    Function 0041B8F2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SelectObject.GDI32(00000000,?), ref: 0041B900
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B90F
                                                                                    • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B93B
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041B949
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B957
                                                                                    • DeleteDC.GDI32(00000000), ref: 0041B960
                                                                                    • DeleteDC.GDI32(?), ref: 0041B969
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSelect$Delete$Stretch
                                                                                    • String ID:
                                                                                    • API String ID: 1458357782-0
                                                                                    • Opcode ID: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
                                                                                    • Instruction ID: 7af7168ee4e3f122af8b0d4427163761b09037522acd9a56f3a9582fc2e5d9ca
                                                                                    • Opcode Fuzzy Hash: 9877176484a70d403600f1714a00c8a025884f8eac3cfbcae5058479fbc8ea05
                                                                                    • Instruction Fuzzy Hash: F7117CB2E40559ABDF10D6D9D885FAFB7BCEF08304F004416B714FB241C678A8418B94
                                                                                    Function 00423824 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32 ref: 0042383F
                                                                                    • WindowFromPoint.USER32(?,?), ref: 0042384C
                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042385A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00423861
                                                                                    • SendMessageA.USER32(00000000,00000084,?,?), ref: 0042387A
                                                                                    • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423891
                                                                                    • SetCursor.USER32(00000000), ref: 004238A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1770779139-0
                                                                                    • Opcode ID: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
                                                                                    • Instruction ID: af43fee0338c9e624ebb6e65c196278dc7248109df2d757125d2dc099b9481b9
                                                                                    • Opcode Fuzzy Hash: 70500f7dcf266beb48586870626c57fb13a9a50022589c1df5f619c5c3ec88b1
                                                                                    • Instruction Fuzzy Hash: 4C01B16230431136D6207A795C86E2F26E8DFC5B19F50413FB509BE282DA3D8C00636D
                                                                                    Function 00498198 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll), ref: 004981A8
                                                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004981B5
                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004981C2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule
                                                                                    • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                    • API String ID: 667068680-2254406584
                                                                                    • Opcode ID: 5834003e1cb07e3f0b916b5bd071f969a236acabb242a67ef1a52c900246ec0b
                                                                                    • Instruction ID: c24bc2e529edd3fc2f7d71c8166a3bd51aa09706bb3324dad5a4058a97bc4c43
                                                                                    • Opcode Fuzzy Hash: 5834003e1cb07e3f0b916b5bd071f969a236acabb242a67ef1a52c900246ec0b
                                                                                    • Instruction Fuzzy Hash: D5F09662B81A1566DA20257E1C42A7B69CCCB87764F14017FBE44B7383EDAD8C0646BD
                                                                                    Function 0045DA18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045DA21
                                                                                    • GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045DA31
                                                                                    • GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045DA41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                    • API String ID: 190572456-508647305
                                                                                    • Opcode ID: 7a556fa67a55cf8447a9efdb62b0761e5535bcf007e3935c7a68e24fad993a97
                                                                                    • Instruction ID: 1edccc56acb66b4562ddfa4c7a90d58ee85ee4b976394e257a4a6a33c45d2cf5
                                                                                    • Opcode Fuzzy Hash: 7a556fa67a55cf8447a9efdb62b0761e5535bcf007e3935c7a68e24fad993a97
                                                                                    • Instruction Fuzzy Hash: 52F01DB09056008BD314DF36AC45727379DEB98306F58803BA845D11A3E77A089CEA0C
                                                                                    Function 0045DF18 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DF21
                                                                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DF31
                                                                                    • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DF41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                    • API String ID: 190572456-212574377
                                                                                    • Opcode ID: 88957fa4a0c2cec21efe549f3502b6a6b9bb452ed3dd0ea2322b65fd9bc7507f
                                                                                    • Instruction ID: c781611ed6df2ffd52f678218cea13a9d8474895aea0bca464552a1c0941260e
                                                                                    • Opcode Fuzzy Hash: 88957fa4a0c2cec21efe549f3502b6a6b9bb452ed3dd0ea2322b65fd9bc7507f
                                                                                    • Instruction Fuzzy Hash: 97F030B5E00300DEE724DF32AC0972336D9AFA4716F14803BA946D66A3D378444DCE2D
                                                                                    Function 0042EEAC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEC5
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EECB
                                                                                    • InterlockedExchange.KERNEL32(0049E66C,00000001), ref: 0042EEDC
                                                                                      • Part of subcall function 0042EE3C: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
                                                                                      • Part of subcall function 0042EE3C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
                                                                                      • Part of subcall function 0042EE3C: InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69
                                                                                    • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EEF0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                    • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                    • API String ID: 142928637-2676053874
                                                                                    • Opcode ID: 389e91f0b6fea372d76e4afa2011532d8e09b8c5ffcd98648874458c7b9a3310
                                                                                    • Instruction ID: d73472cc1cf9ee785b15135c95e247d87a8e276cbab312dacd1aac06db931f35
                                                                                    • Opcode Fuzzy Hash: 389e91f0b6fea372d76e4afa2011532d8e09b8c5ffcd98648874458c7b9a3310
                                                                                    • Instruction Fuzzy Hash: 6BE01BB1750720E6EE10B7777C46FA72654DB64769F950437F100A51D1C7FE0C848A6D
                                                                                    Function 0047AD94 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,?,0049BAA8), ref: 0047AD9A
                                                                                    • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 0047ADA7
                                                                                    • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 0047ADB7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule
                                                                                    • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                    • API String ID: 667068680-222143506
                                                                                    • Opcode ID: c814994f826dfb1f4fd85be7a7d63ee351bb6499ab2179b5b125f6efb014e66d
                                                                                    • Instruction ID: e761ed85866ee686b9535240fc539701727dd680da56f3fb001ecc562e4fb54d
                                                                                    • Opcode Fuzzy Hash: c814994f826dfb1f4fd85be7a7d63ee351bb6499ab2179b5b125f6efb014e66d
                                                                                    • Instruction Fuzzy Hash: 07C012E0680701AED610B7715C86D7E254DD550B1A320C03B7089B55C3D67C0C284F2D
                                                                                    Function 0041BAFC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFocus.USER32 ref: 0041BBD5
                                                                                    • GetDC.USER32(?), ref: 0041BBE1
                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BC16
                                                                                    • RealizePalette.GDI32(00000000), ref: 0041BC22
                                                                                    • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC50
                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC84
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                    • String ID:
                                                                                    • API String ID: 3275473261-0
                                                                                    • Opcode ID: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
                                                                                    • Instruction ID: 6f3d196da8cc9963e266c073c65a40cf0d83fd4bf7ad6034c31d612a174a896e
                                                                                    • Opcode Fuzzy Hash: c95e916aea5b0b320e39deb2acbd71507781b42672567b85ab8b3b895a144eff
                                                                                    • Instruction Fuzzy Hash: 23511D70A00209AFDB11DFA9C895AEEBBF8FF49704F10446AF500A7750D7799D81CBA9
                                                                                    Function 0041BDCC Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFocus.USER32 ref: 0041BEA7
                                                                                    • GetDC.USER32(?), ref: 0041BEB3
                                                                                    • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEED
                                                                                    • RealizePalette.GDI32(00000000), ref: 0041BEF9
                                                                                    • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BF1D
                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF51
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                    • String ID:
                                                                                    • API String ID: 3275473261-0
                                                                                    • Opcode ID: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
                                                                                    • Instruction ID: d1d8e12ac76011fa0e11fd225ecf21e9d1788b3d06fe05564f2eab64f20773a9
                                                                                    • Opcode Fuzzy Hash: 9472f51cddc4c318b63d6c649322b096de862bc5fca767e6fe291a367ca23efe
                                                                                    • Instruction Fuzzy Hash: 28510875A00618AFCB11DFA9C891AEEBBF9EF49700F158066F504EB750D7389D40CBA8
                                                                                    Function 00477568 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042F2FC: GetTickCount.KERNEL32 ref: 0042F302
                                                                                      • Part of subcall function 0042F118: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042F14D
                                                                                    • GetLastError.KERNEL32(00000000,004776FD,?,?,0049F1E4,00000000), ref: 004775D0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountErrorFileLastMoveTick
                                                                                    • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx$Renaming uninstaller.$The existing file appears to be in use (%d). Retrying.
                                                                                    • API String ID: 2406187244-79500563
                                                                                    • Opcode ID: d597868801e4d0ea2fd5800a3e69bd95f30f368d2522e7376fb4945bdb66630f
                                                                                    • Instruction ID: 6023fe8b67aa7ba447fd38945f059c1701a0e9a08149722a7a21e5b3243787af
                                                                                    • Opcode Fuzzy Hash: d597868801e4d0ea2fd5800a3e69bd95f30f368d2522e7376fb4945bdb66630f
                                                                                    • Instruction Fuzzy Hash: 2B4145749041099FCB11EFA9D882ADEB7B4EF48314FA0853BE404A7355D77CA905CBAD
                                                                                    Function 0041B998 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFocus.USER32 ref: 0041BA0E
                                                                                    • GetDC.USER32(?), ref: 0041BA1A
                                                                                    • GetDeviceCaps.GDI32(?,00000068), ref: 0041BA36
                                                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA53
                                                                                    • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA6A
                                                                                    • ReleaseDC.USER32(?,?), ref: 0041BAB6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                    • String ID:
                                                                                    • API String ID: 2502006586-0
                                                                                    • Opcode ID: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
                                                                                    • Instruction ID: a7c0e65a03819a5ca0ecfd2330013adb4d65aecf06c5c54e884ed256bbcda07e
                                                                                    • Opcode Fuzzy Hash: 8677b4c9643155cfa8b241eb815e8948b89f536ec76e5c7ec5a5b4487363e7b6
                                                                                    • Instruction Fuzzy Hash: 7941C371A042149FDB10DFA9C886AAFBBB4EF45740F1484AAF940EB351D238AD11CBA5
                                                                                    Function 0045D8DC Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947
                                                                                    • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045DA14,?,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D986
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                    • API String ID: 1452528299-1580325520
                                                                                    • Opcode ID: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
                                                                                    • Instruction ID: 6e5dfac74c505aaab96e92fe344d79fc6b24c6561d5ee78f4b35f8cdf0e82ab5
                                                                                    • Opcode Fuzzy Hash: e67dd52cdc243cbb5e72bacc990bd15c15be47e674f81fc936459ad46248d631
                                                                                    • Instruction Fuzzy Hash: 1611A5B5A04209AFD731DEA1C941BAA7AACDF48306F6040376D04A6283D67C5F0AD52E
                                                                                    Function 0041C21C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 0041C265
                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 0041C26F
                                                                                    • GetDC.USER32(00000000), ref: 0041C279
                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041C2A0
                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041C2AD
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041C2E6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDeviceMetricsSystem$Release
                                                                                    • String ID:
                                                                                    • API String ID: 447804332-0
                                                                                    • Opcode ID: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
                                                                                    • Instruction ID: 9f2a90fdc7dd77bbc6d9abc5b90aadbfd0b864dc6f709442552c07669a95c1ee
                                                                                    • Opcode Fuzzy Hash: b56dce364db8681bf449ce1525ba10edc72df88ae5eafd2cc45f48ffa874235a
                                                                                    • Instruction Fuzzy Hash: 07213C75E44649AFEB00EFE9C882BEEB7B4EB48714F10806AF514B7280D7795940CB69
                                                                                    Function 0048099C Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 004809AA
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046E2F5), ref: 004809D0
                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 004809E0
                                                                                    • SetWindowLongA.USER32(?,000000EC,00000000), ref: 00480A01
                                                                                    • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00480A15
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00480A31
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$Show
                                                                                    • String ID:
                                                                                    • API String ID: 3609083571-0
                                                                                    • Opcode ID: 4f7832318b23aec4571dba2d0917ef8f858466263ab5f877554dca191cf7e097
                                                                                    • Instruction ID: 5fbc0a759a363429862e9e166b445db90943e559ec10ec679e577617c806b0ab
                                                                                    • Opcode Fuzzy Hash: 4f7832318b23aec4571dba2d0917ef8f858466263ab5f877554dca191cf7e097
                                                                                    • Instruction Fuzzy Hash: 3C014CB1650210ABD710EB79CD41F2A77A8AB2D310F054767FA55EB3E3C239EC048B08
                                                                                    Function 0041B700 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0041AB70: CreateBrushIndirect.GDI32 ref: 0041ABDB
                                                                                    • UnrealizeObject.GDI32(00000000), ref: 0041B70C
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0041B71E
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041B741
                                                                                    • SetBkMode.GDI32(?,00000002), ref: 0041B74C
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0041B767
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0041B772
                                                                                      • Part of subcall function 0041A4E8: GetSysColor.USER32(?), ref: 0041A4F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                    • String ID:
                                                                                    • API String ID: 3527656728-0
                                                                                    • Opcode ID: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
                                                                                    • Instruction ID: e5a7d4b7c2e235827ad94a1825542cc68ab193fc61db3cfd758683236e3ca83d
                                                                                    • Opcode Fuzzy Hash: c61030d912a8a6847aea8d9dd9de33bb9ce49b13cbe3d1a7ba6db01534d8f73f
                                                                                    • Instruction Fuzzy Hash: 25F0C275615100ABDE00FFBADACAE4B37989F443097048097B504DF197C67CE8504B39
                                                                                    Function 0049ABE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                                                    • ShowWindow.USER32(?,00000005,00000000,0049AE45,?,?,00000000), ref: 0049AC16
                                                                                      • Part of subcall function 0042DD54: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD67
                                                                                      • Part of subcall function 00407738: SetCurrentDirectoryA.KERNEL32(00000000,?,0049AC3E,00000000,0049AE11,?,?,00000005,00000000,0049AE45,?,?,00000000), ref: 00407743
                                                                                      • Part of subcall function 0042D8DC: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D96A,?,?,?,00000001,?,004568AE,00000000,00456916), ref: 0042D911
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                    • String ID: .dat$.msg$IMsg$Uninstall
                                                                                    • API String ID: 3312786188-1660910688
                                                                                    • Opcode ID: 76db9c647a937013a6fa0c6f446141e41373333f33b7f89aeefb66d95662e4c7
                                                                                    • Instruction ID: 41fce5d7155baeeb4201c3977cb987a547f2b9c6e2b52af906847905e2aac1f5
                                                                                    • Opcode Fuzzy Hash: 76db9c647a937013a6fa0c6f446141e41373333f33b7f89aeefb66d95662e4c7
                                                                                    • Instruction Fuzzy Hash: 4E31A374A00214AFCB00EF65CC52A6E7BB5FB89304F61857AF800E7752D739AD15CB99
                                                                                    Function 0042EF38 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF6A
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF70
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                    • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                    • API String ID: 828529508-2866557904
                                                                                    • Opcode ID: 54f918a627300866d359fc4902b15493ec36370e2bfa8870a9d3efce00e910ff
                                                                                    • Instruction ID: 98e14bcb75ccd3fa79125cd8f842b3c85c6f4936fd04c03cffbbcbf6111bfa2c
                                                                                    • Opcode Fuzzy Hash: 54f918a627300866d359fc4902b15493ec36370e2bfa8870a9d3efce00e910ff
                                                                                    • Instruction Fuzzy Hash: 8AF0F6E134462237E620B27FAC82F7B55CC8F98719F15003AB508FA2C1EA6CC905426F
                                                                                    Function 0042EE3C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EF00,00000004,0049C938,00457A81,00457E24,004579D8,00000000,00000B06,00000000,00000000,00000002,00000000,0048361D), ref: 0042EE52
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE58
                                                                                    • InterlockedExchange.KERNEL32(0049E664,00000001), ref: 0042EE69
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                    • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                    • API String ID: 3478007392-2498399450
                                                                                    • Opcode ID: b41fa3605276e12a0c1fa2295fb575996c300a3307de7a79c762c968af81e3a1
                                                                                    • Instruction ID: 048ca61b172dfedb03cf1c059d2784ab3124221c9e2a99dd16ddbc81be59c6a3
                                                                                    • Opcode Fuzzy Hash: b41fa3605276e12a0c1fa2295fb575996c300a3307de7a79c762c968af81e3a1
                                                                                    • Instruction Fuzzy Hash: B6E0B6A1661310EAFA10B7736C8AF562555AB34B19FA1043BF100651E1C6BC0884C91D
                                                                                    Function 00479D08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00479D10
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00479E07,0049F0AC,00000000), ref: 00479D23
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00479D29
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                    • String ID: AllowSetForegroundWindow$user32.dll
                                                                                    • API String ID: 1782028327-3855017861
                                                                                    • Opcode ID: 7fa9c15edd0100dd49c91a709bee6c9248c282a58637a37e18cf011de0f0c1c5
                                                                                    • Instruction ID: 5357bd2adcb02916e042a40b4a090124369338466f1717feba3059f4eb7ed124
                                                                                    • Opcode Fuzzy Hash: 7fa9c15edd0100dd49c91a709bee6c9248c282a58637a37e18cf011de0f0c1c5
                                                                                    • Instruction Fuzzy Hash: F8D0A9A0200301A6ED20B3B68C0BEEF239C8E9470AB10C83B3808F2187CA3CDC455B3C
                                                                                    Function 00448A1C Relevance: 7.7, APIs: 5, Instructions: 160libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448C1C), ref: 00448B48
                                                                                    • GetLastError.KERNEL32(00000000,?,?,00000000,00448C1C), ref: 00448B6F
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00448BD6
                                                                                    • GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00448C1C), ref: 00448BF1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$AddressLibraryLoadProc
                                                                                    • String ID:
                                                                                    • API String ID: 1866314245-0
                                                                                    • Opcode ID: dfdaff7139ce80deef6549bde99ea5fad879477e794f59222fdf3cfa0dc7e0ca
                                                                                    • Instruction ID: 86cd10a4b754a346bbb6b93b1800c6189756eba4f25aae068f18fd67d3000257
                                                                                    • Opcode Fuzzy Hash: dfdaff7139ce80deef6549bde99ea5fad879477e794f59222fdf3cfa0dc7e0ca
                                                                                    • Instruction Fuzzy Hash: B35146B0A001459FDB00EF95C481AAFB7F8EF45315F10817EE414BB396CA789E458B59
                                                                                    Function 004170BC Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • BeginPaint.USER32(00000000,?), ref: 004170E2
                                                                                    • SaveDC.GDI32(?), ref: 00417113
                                                                                    • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,004171D5), ref: 00417174
                                                                                    • RestoreDC.GDI32(?,?), ref: 0041719B
                                                                                    • EndPaint.USER32(00000000,?,004171DC,00000000,004171D5), ref: 004171CF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                    • String ID:
                                                                                    • API String ID: 3808407030-0
                                                                                    • Opcode ID: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
                                                                                    • Instruction ID: a59a5e74ec56046a8e44d3172024536881dae92cda495952d4f2aea49f83957e
                                                                                    • Opcode Fuzzy Hash: 2aefb1f11be775139b331da31e14453598fb34486e2afd9f20f5c966e66715d4
                                                                                    • Instruction Fuzzy Hash: 9C413D70A08204AFDB14DBA9C985FAA77F9FB48314F1544AAE8059B362C7789D81CB18
                                                                                    Function 00414C90 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
                                                                                    • Instruction ID: b7433d6af5671a809cf87ab508426f3e85ed5e2fdb4bb50135625d5106dc29cf
                                                                                    • Opcode Fuzzy Hash: 6723b5202e330dc32e4e910c1744c1f6af12d9a6ca138e20ff4de4c990d11818
                                                                                    • Instruction Fuzzy Hash: 1B3170706057009FC720EB2DC884AABB7E8AF89710F04891EF9D5C3751D238EC808B59
                                                                                    Function 0041C048 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemMetrics.USER32(0000000B), ref: 0041C05A
                                                                                    • GetSystemMetrics.USER32(0000000C), ref: 0041C064
                                                                                    • GetDC.USER32(00000000), ref: 0041C0A2
                                                                                    • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041C0E9
                                                                                    • DeleteObject.GDI32(00000000), ref: 0041C12A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                    • String ID:
                                                                                    • API String ID: 1095203571-0
                                                                                    • Opcode ID: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
                                                                                    • Instruction ID: af0cd6ff41168786fc466cfb62adbf741af89e47da0ede509f3e80318da31809
                                                                                    • Opcode Fuzzy Hash: 142aaef5fb75dc877dec10a7682396b9e25510c94f542f6073738a5e6d3aa482
                                                                                    • Instruction Fuzzy Hash: 92314174E40205EFDB00DFA5C981AAEB7F5EB48704F1185AAF510AB381D7789E80DF98
                                                                                    Function 00429C5C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429C98
                                                                                    • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429CC7
                                                                                    • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429CE3
                                                                                    • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 00429D0E
                                                                                    • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 00429D2C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
                                                                                    • Instruction ID: 60921b255c01a359d0eb68e62e5e28d9b6fe2da514f119f30b014399c46582d3
                                                                                    • Opcode Fuzzy Hash: bc63629cb27ad13ca6417472d4f3f1d186b1f81fbb10e3d200fe59e3d4f08092
                                                                                    • Instruction Fuzzy Hash: C121AF707007057AD710ABA7DC82F4BB6ACDB40708F90043EB501AB2D2DB78AD41866D
                                                                                    Function 00475178 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0045D8DC: SetLastError.KERNEL32(00000057,00000000,0045D9A8,?,?,?,?,00000000), ref: 0045D947
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 004751FA
                                                                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00475241,?,?,0049F1E4,00000000), ref: 00475210
                                                                                    Strings
                                                                                    • Could not set permissions on the key because it currently does not exist., xrefs: 00475204
                                                                                    • Failed to set permissions on the key (%d)., xrefs: 00475221
                                                                                    • Setting permissions on key: %s\%s, xrefs: 004751BE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: Could not set permissions on the key because it currently does not exist.$Failed to set permissions on the key (%d).$Setting permissions on key: %s\%s
                                                                                    • API String ID: 1452528299-522033246
                                                                                    • Opcode ID: 1355e60d520c537b245591eb314ca0669cdd5b0204c3c9ddf5a0d2ec40fba8e3
                                                                                    • Instruction ID: 51041ab3257bc5012ea3fc5fd74b59e1bc6a173a0ae5939bb589f078bf527dbc
                                                                                    • Opcode Fuzzy Hash: 1355e60d520c537b245591eb314ca0669cdd5b0204c3c9ddf5a0d2ec40fba8e3
                                                                                    • Instruction Fuzzy Hash: 0821A770A046045FDB00EBA9D8416DEBBF4EB89314F5044BBE404EB353DBB85D058BAD
                                                                                    Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                    • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                    • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                                    • String ID:
                                                                                    • API String ID: 262959230-0
                                                                                    • Opcode ID: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
                                                                                    • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                    • Opcode Fuzzy Hash: 5ebc352aac4f77473dff7e3dcc86cc0c7398385e60e6a11f17e44d50ff4a2e93
                                                                                    • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                    Function 00414870 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 004148A9
                                                                                    • RealizePalette.GDI32(00000000), ref: 004148B1
                                                                                    • SelectPalette.GDI32(00000000,00000000,00000001), ref: 004148C5
                                                                                    • RealizePalette.GDI32(00000000), ref: 004148CB
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 004148D6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Palette$RealizeSelect$Release
                                                                                    • String ID:
                                                                                    • API String ID: 2261976640-0
                                                                                    • Opcode ID: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
                                                                                    • Instruction ID: 1b199f70f0334c5ad2d95ba866badc65d16692e0f82b4d98eea4daff33ed8e78
                                                                                    • Opcode Fuzzy Hash: de0628dfb3b178927ad573b2282efd4894c3506f2a3e842425f6db2cbe849912
                                                                                    • Instruction Fuzzy Hash: 8901DF7521C3806AE200B63D8C85A9F6FEC9FCA314F05596EF498DB382CA7ACC018765
                                                                                    Function 00401548 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VirtualAlloc.KERNEL32(?,00100000,00002000,00000004,PI,?,?,?,004018B4), ref: 00401566
                                                                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000004,?,00100000,00002000,00000004,PI,?,?,?,004018B4), ref: 0040158B
                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00100000,00002000,00000004,PI,?,?,?,004018B4), ref: 004015B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Alloc$Free
                                                                                    • String ID: @I$PI
                                                                                    • API String ID: 3668210933-3401599750
                                                                                    • Opcode ID: 79e5f1e237a0331480e5410351b5e7b0ca40d8228a6e430f7bd51bd618f00cb6
                                                                                    • Instruction ID: e4c2a63ffe102577e082cd27da14851d232fb322b3ad2ea48a30cae3431602c8
                                                                                    • Opcode Fuzzy Hash: 79e5f1e237a0331480e5410351b5e7b0ca40d8228a6e430f7bd51bd618f00cb6
                                                                                    • Instruction Fuzzy Hash: 05F0C871740320AAEB315A294C85F133AD4DBC5754F144075BE09FF3D9D6B8980082AD
                                                                                    Function 00407434 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407493
                                                                                    • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040750D
                                                                                    • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407565
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Enum$NameOpenResourceUniversal
                                                                                    • String ID: Z
                                                                                    • API String ID: 3604996873-1505515367
                                                                                    • Opcode ID: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
                                                                                    • Instruction ID: 40f8d8e8b2f406d6a8a22564fe957c27a4ea1e6c79599dfe788430968c9fdea8
                                                                                    • Opcode Fuzzy Hash: 59fc97221ce8e2239389e9c8dfc74c2c781be37928cd4af1c274feeaca823a59
                                                                                    • Instruction Fuzzy Hash: DD51A270E04608AFDB11EF99CC41A9EBBF9EB09314F1045BAE400B72D1D778AE418F5A
                                                                                    Function 004613A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 004613D4
                                                                                    • GetDIBits.GDI32(00000000,00000000,?,00000000,00000000,004615E1), ref: 004614D4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: BitsCapsDevice
                                                                                    • String ID: $(
                                                                                    • API String ID: 1216508973-55695022
                                                                                    • Opcode ID: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
                                                                                    • Instruction ID: 5dc47b70b294587cc13581978d3ce92ec5f010f9ab1f52b5f87cd7b8da97004a
                                                                                    • Opcode Fuzzy Hash: 5957ec3d1a6f1ea59fd2c6b39eb5ebbf337cafbddb9fa20bd40169d8452b2992
                                                                                    • Instruction Fuzzy Hash: 67413E71E00209AFDB00DFA9C885AAEFBF8FF49304F14406AE515F72A0D7799944CB5A
                                                                                    Function 0044D62C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetRectEmpty.USER32(?), ref: 0044D6BA
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D6E5
                                                                                    • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D76D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText$EmptyRect
                                                                                    • String ID:
                                                                                    • API String ID: 182455014-2867612384
                                                                                    • Opcode ID: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
                                                                                    • Instruction ID: 12a4b21e602b9f7a78cd53eafda620a7b7433ebb18c5ccfef023c502be569e40
                                                                                    • Opcode Fuzzy Hash: e6e59adc673dea5e3a01a58b7e7b770fcdf0972a29114f76cbe18b4b20e21186
                                                                                    • Instruction Fuzzy Hash: B6515171E00244AFDB11DFA5C885BDEBBF9EF49308F05847AE805EB252D7789944CB64
                                                                                    Function 0042F440 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0042F46A
                                                                                      • Part of subcall function 0041A678: CreateFontIndirectA.GDI32(?), ref: 0041A737
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0042F48D
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0042F56C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                    • String ID: ...\
                                                                                    • API String ID: 3133960002-983595016
                                                                                    • Opcode ID: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
                                                                                    • Instruction ID: 6da19e17498f2b2ee05211f2735e4231f31b0ac4056ea50bc180adaf4849e001
                                                                                    • Opcode Fuzzy Hash: 4dbb05239853b56f211487c34bba1e3065c43c6cc540eb48ddca839a47f377ff
                                                                                    • Instruction Fuzzy Hash: 3E313370B00229ABDF11EF9AD851BAEB7B8EB48304FD0447BF414A7291C77C5D45CA59
                                                                                    Function 004540B8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541A7
                                                                                    • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00499C8D,_iu,?,00000000,004541F2), ref: 004541B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateFileHandle
                                                                                    • String ID: .tmp$_iu
                                                                                    • API String ID: 3498533004-10593223
                                                                                    • Opcode ID: 8c4715ab529ca99f54f8fbb2ea4e72104e8c5166ce487eaa258af719baff9bbd
                                                                                    • Instruction ID: 578c6d25dcdad9d531da493d0199c9855db5075e5bb7f28aad5cf4ca392b9bb0
                                                                                    • Opcode Fuzzy Hash: 8c4715ab529ca99f54f8fbb2ea4e72104e8c5166ce487eaa258af719baff9bbd
                                                                                    • Instruction Fuzzy Hash: F431C770E00119ABCB11EFA5C842B9EBBB5AF54309F60416AF804BB3C2D6385F4586A8
                                                                                    Function 004168A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoA.USER32(00400000,?,?), ref: 0041690F
                                                                                    • UnregisterClassA.USER32(?,00400000), ref: 0041693B
                                                                                    • RegisterClassA.USER32(?), ref: 0041695E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Class$InfoRegisterUnregister
                                                                                    • String ID: @
                                                                                    • API String ID: 3749476976-2766056989
                                                                                    • Opcode ID: 09c5f863f50a19c9c3a0ba234899ce8f036c1dfa8e61a409ba2f05b6422b8e41
                                                                                    • Instruction ID: f0814f926fbfb3063bbfc520005841906eff1053595eb63299fc6e458af65efd
                                                                                    • Opcode Fuzzy Hash: 09c5f863f50a19c9c3a0ba234899ce8f036c1dfa8e61a409ba2f05b6422b8e41
                                                                                    • Instruction Fuzzy Hash: 70316E702043418BDB20EF69C485B9A77E5AB89308F04447FF985DF392DB39DD858B6A
                                                                                    Function 0049B094 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesA.KERNEL32(00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B104
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049B9E4,00000000,0049B18A,?,?,00000000,0049E62C), ref: 0049B12D
                                                                                    • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0049B146
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Attributes$Move
                                                                                    • String ID: isRS-%.3u.tmp
                                                                                    • API String ID: 3839737484-3657609586
                                                                                    • Opcode ID: 4a4e0ebd43fa2be3f89bb2caf80d5e1b797f0b58b7e5bc53bc9c5ca9fe636d74
                                                                                    • Instruction ID: e58a6bb4d61ebf27a8f85bf79e18a3daf7ddf139a146e4c83f08b8ac6b3baeb0
                                                                                    • Opcode Fuzzy Hash: 4a4e0ebd43fa2be3f89bb2caf80d5e1b797f0b58b7e5bc53bc9c5ca9fe636d74
                                                                                    • Instruction Fuzzy Hash: B2216470E10209ABCF04EFA9D9929AFBBB8EF44354F10453AB814B72D1D7385E018A99
                                                                                    Function 0045742C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042CC94: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CCB8
                                                                                      • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                      • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00457480
                                                                                    • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 004574AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                    • String ID: LoadTypeLib$RegisterTypeLib
                                                                                    • API String ID: 1312246647-2435364021
                                                                                    • Opcode ID: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
                                                                                    • Instruction ID: 9f3c69dbed6527a7536611739b590712afd4786c139aba5f8c5ce656fa2fa7d6
                                                                                    • Opcode Fuzzy Hash: ef98400a3cb6d0e3d8d993fb867b0761591a4800f398f9cc68cb898a501ed530
                                                                                    • Instruction Fuzzy Hash: 0D11B130B04604BFDB11DFA6DD51A5ABBADEB89305F1084B6BC04D3652EA389A04CA18
                                                                                    Function 004579E4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 004579FE
                                                                                    • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00457A9B
                                                                                    Strings
                                                                                    • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457A2A
                                                                                    • Failed to create DebugClientWnd, xrefs: 00457A64
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                    • API String ID: 3850602802-3720027226
                                                                                    • Opcode ID: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
                                                                                    • Instruction ID: 1ab6ed05e85d1bb283b6b865c49c58556a26672ef247bde5bc39928aa0d5d30a
                                                                                    • Opcode Fuzzy Hash: b03ed1056f1f7c238425172a1330e6ac177058c3a5e9163237303df94b25fdc9
                                                                                    • Instruction Fuzzy Hash: 751123707082106FE310AB28AC81B8F7B989B15309F04807BF985DB383C3799D08C7AE
                                                                                    Function 00450424 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 0045048C
                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000,004504FD,?,?,?,?,00000000,00000000), ref: 004504D2
                                                                                      • Part of subcall function 004503F4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0045040C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad$DirectorySystem
                                                                                    • String ID: RICHED20.DLL$RICHED32.DLL
                                                                                    • API String ID: 2630572097-740611112
                                                                                    • Opcode ID: 374f2d9e90cc37eef180cc8d20d2e3149e70aeb14d460e8c5a8d30249f6f1077
                                                                                    • Instruction ID: 4d2f5d6df61b0d0ac72fc53e5f3b8721577eb5fe8aac3b6587ce23d73eaa98fa
                                                                                    • Opcode Fuzzy Hash: 374f2d9e90cc37eef180cc8d20d2e3149e70aeb14d460e8c5a8d30249f6f1077
                                                                                    • Instruction Fuzzy Hash: 4F212174500248FFDB00FFA2D886B5E77F8EB5435AF504477E800A7662D7786A498E5C
                                                                                    Function 0047A860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00424754: SetWindowTextA.USER32(?,00000000), ref: 0042476C
                                                                                    • GetFocus.USER32 ref: 0047A8CB
                                                                                    • GetKeyState.USER32(0000007A), ref: 0047A8DD
                                                                                    • WaitMessage.USER32(?,00000000,0047A904,?,00000000,0047A92B,?,?,00000001,00000000,?,00482693,00000000,0048361D), ref: 0047A8E7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FocusMessageStateTextWaitWindow
                                                                                    • String ID: Wnd=$%x
                                                                                    • API String ID: 1381870634-2927251529
                                                                                    • Opcode ID: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
                                                                                    • Instruction ID: 77d4776769ed3d961f5a478265b7c30efea3ded7fa53bcd9a53f0dfc2223b557
                                                                                    • Opcode Fuzzy Hash: e5dbb5df603875cdc39d478cadb00c751de2674426fb931424df1fbe3e193bac
                                                                                    • Instruction Fuzzy Hash: A91194B0604145AFC700FF66D841A9E77B8EB89714B5288B6F408E7281D73C6D208A6B
                                                                                    Function 0046FD50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046FD58
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046FD67
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$File$LocalSystem
                                                                                    • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                    • API String ID: 1748579591-1013271723
                                                                                    • Opcode ID: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
                                                                                    • Instruction ID: 1dc787eced2517cb8807bab7c2b20f1510b2cd86f013857d73bb6b07fca1fef3
                                                                                    • Opcode Fuzzy Hash: bb060cc39148aedb455345e7bc3ff301bf93d173113d396d92c14034a51e3361
                                                                                    • Instruction Fuzzy Hash: CB11F8A440C3919AD340DF2AC44472BBAE4AF99704F04496EF9C8D6391E77AC948DB67
                                                                                    Function 00454772 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 0045477F
                                                                                      • Part of subcall function 004073E0: DeleteFileA.KERNEL32(00000000,0049E62C,0049B575,00000000,0049B5CA,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073EB
                                                                                    • MoveFileA.KERNEL32(00000000,00000000), ref: 004547A4
                                                                                      • Part of subcall function 00453C98: GetLastError.KERNEL32(00000000,0045482D,00000005,00000000,00454862,?,?,00000000,0049E62C,00000004,00000000,00000000,00000000,?,0049B229,00000000), ref: 00453C9B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$AttributesDeleteErrorLastMove
                                                                                    • String ID: DeleteFile$MoveFile
                                                                                    • API String ID: 3024442154-139070271
                                                                                    • Opcode ID: 46473c4ad055747a1cbadfde9edd509b8317f6fc012cf8e5bb3d1f419c25a4cf
                                                                                    • Instruction ID: 530c5230d1c48a198e6632d8711bb006f4eeac499d42d39edb4531016cb1c6b4
                                                                                    • Opcode Fuzzy Hash: 46473c4ad055747a1cbadfde9edd509b8317f6fc012cf8e5bb3d1f419c25a4cf
                                                                                    • Instruction Fuzzy Hash: C2F086752142445AE701FFA6D84266E63ECDB8431FFA1443BFC00BB6C3DA3C9D094929
                                                                                    Function 00465A14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0044BBBC: LoadLibraryA.KERNEL32(00000000,00000000,0044BF9F,?,?,?,?,00000000,00000000,?,0044FDE1,0049BA76), ref: 0044BC1E
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BC36
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BC48
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BC5A
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BC6C
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC7E
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BC90
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BCA2
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BCB4
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BCC6
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BCD8
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BCEA
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BCFC
                                                                                      • Part of subcall function 0044BBBC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BD0E
                                                                                      • Part of subcall function 004659E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004659FB
                                                                                    • LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,00465A8A,?,?,?,?,00000000,00000000,?,0049BA9E), ref: 00465A5F
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00465A65
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystem
                                                                                    • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                    • API String ID: 1442766254-2683653824
                                                                                    • Opcode ID: bbb375902786946700116fd520785cd6b18b786b856cadedb046fe101ef196db
                                                                                    • Instruction ID: 40adbffb9e5bdfd27d779661ae68592eaffae07e03a1378c290830cb38e34495
                                                                                    • Opcode Fuzzy Hash: bbb375902786946700116fd520785cd6b18b786b856cadedb046fe101ef196db
                                                                                    • Instruction Fuzzy Hash: 07F04470640A08BFD701FBA2DC93F5E7BACDB45714FA0457BB400B6592E67C9E048A5D
                                                                                    Function 00459BF4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459D31,00000000,00459EE9,?,00000000,00000000,00000000), ref: 00459C41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                    • API String ID: 47109696-2631785700
                                                                                    • Opcode ID: 6ea10c76f3a51e10fcb4d9f5492d52bb10f1a65c239a5c68be9efa073fb1cee6
                                                                                    • Instruction ID: 38d3340ec7adb02875813bbcd1e17bd1b65749923c884860087a6e41a9d30ab7
                                                                                    • Opcode Fuzzy Hash: 6ea10c76f3a51e10fcb4d9f5492d52bb10f1a65c239a5c68be9efa073fb1cee6
                                                                                    • Instruction Fuzzy Hash: CEF0A9713001109BC710EB1A9881B9E63CEDB92316F24403BBA85C7353E63CCC0A8629
                                                                                    Function 00485F94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FD5
                                                                                    • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485FF8
                                                                                    Strings
                                                                                    • CSDVersion, xrefs: 00485FCC
                                                                                    • System\CurrentControlSet\Control\Windows, xrefs: 00485FA2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                    • API String ID: 3677997916-1910633163
                                                                                    • Opcode ID: eff0deaf13ea49943553eae6e73860ea3877aeeab0ba79e1eea048f87b0e4a05
                                                                                    • Instruction ID: 690f3357d7f3b8f107864325de2190f20260369eddc5d30bd8c99057d7f378d2
                                                                                    • Opcode Fuzzy Hash: eff0deaf13ea49943553eae6e73860ea3877aeeab0ba79e1eea048f87b0e4a05
                                                                                    • Instruction Fuzzy Hash: D9F04475A40208EADF10EAD58C45BDF73BC9B04704F104567EB10E7280EB39AA04CB5D
                                                                                    Function 0042DD80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00454356,00000000,004543F9,?,?,00000000,00000000,00000000,00000000,00000000,?,004547E9,00000000), ref: 0042DD9A
                                                                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DDA0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                    • API String ID: 1646373207-4063490227
                                                                                    • Opcode ID: 43326381e3bc40d1b008ad4d96650147bbd089414008ba5bfef6f44b6a0c9d35
                                                                                    • Instruction ID: 364facf3dcd8fd4fb48bac821a112922c1d8aa8d1bb3947713f5e14a9d28bbdd
                                                                                    • Opcode Fuzzy Hash: 43326381e3bc40d1b008ad4d96650147bbd089414008ba5bfef6f44b6a0c9d35
                                                                                    • Instruction Fuzzy Hash: 8EE026A1B60F0113D700317A5C8375B208E4F84718F90043F3984F52C2DDBCD988462D
                                                                                    Function 0042EFE4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF60), ref: 0042EFF2
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFF8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                    • API String ID: 1646373207-260599015
                                                                                    • Opcode ID: dfc6bb9dc0fc5ec38f58292c2a590bdd0683480761c1ee7479f2282ad6a9d547
                                                                                    • Instruction ID: d167ebeb3a0c78ffef62d304a6593c01274f0b6b7e47665dfbb0b7c0d901300f
                                                                                    • Opcode Fuzzy Hash: dfc6bb9dc0fc5ec38f58292c2a590bdd0683480761c1ee7479f2282ad6a9d547
                                                                                    • Instruction Fuzzy Hash: 68D0C792712732576A5035F53CC1AAB429CC9156AE3D40077FA40E6143D95DCC1926AC
                                                                                    Function 0044FDB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049BA76), ref: 0044FDEB
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FDF1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: NotifyWinEvent$user32.dll
                                                                                    • API String ID: 1646373207-597752486
                                                                                    • Opcode ID: a5c0ac0c1efcf7d3608f9b1211c1a9f2a893ff30e05f8d2a27f72305b06527a9
                                                                                    • Instruction ID: 223032890b7009ceba89b3f881feb785258270d151d072d0a62a9436c582bc8a
                                                                                    • Opcode Fuzzy Hash: a5c0ac0c1efcf7d3608f9b1211c1a9f2a893ff30e05f8d2a27f72305b06527a9
                                                                                    • Instruction Fuzzy Hash: 4FE012F0D417509AFB00FBB79846B093AE0D76471CB10107FF541A6653DBBC54588B1E
                                                                                    Function 0049B7EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049BACC,00000001,00000000,0049BAF0), ref: 0049B7F6
                                                                                    • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049B7FC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleModuleProc
                                                                                    • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                    • API String ID: 1646373207-834958232
                                                                                    • Opcode ID: 5c98c5630daf554bcb4be2d096a3acfbc6f50bf9a9055b7be440b1920fc26866
                                                                                    • Instruction ID: 54119c6ef0f49054147f19105d5d020da2821b8521f233d32c589f61db0a4d0d
                                                                                    • Opcode Fuzzy Hash: 5c98c5630daf554bcb4be2d096a3acfbc6f50bf9a9055b7be440b1920fc26866
                                                                                    • Instruction Fuzzy Hash: E5B09280681A01509C00B2B22E02A6B080CCC887997240037B400B00C6CF6C844504BD
                                                                                    Function 0047F8B0 Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88), ref: 0047FA00
                                                                                    • FindClose.KERNEL32(000000FF,0047FA2B,0047FA24,?,?,?,?,00000000,0047FB79,?,?,?,00000000,?,0047FC88,00000000), ref: 0047FA1E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileNext
                                                                                    • String ID:
                                                                                    • API String ID: 2066263336-0
                                                                                    • Opcode ID: f6036b974b30bc27f808fb4f8f1fde4f909c53259dec291d47473dcf43dfed37
                                                                                    • Instruction ID: a2492a823a8cbc0112e5e27725a6df3c9536d0a8ebd69a23b4f87c8590b3ed18
                                                                                    • Opcode Fuzzy Hash: f6036b974b30bc27f808fb4f8f1fde4f909c53259dec291d47473dcf43dfed37
                                                                                    • Instruction Fuzzy Hash: AE814F7090024DAFCF11DFA5CC51AEFBBB8EB49304F5080BAE508A7291D7399A4ACF55
                                                                                    Function 00414188 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDesktopWindow.USER32 ref: 004141D6
                                                                                    • GetDesktopWindow.USER32 ref: 0041428E
                                                                                      • Part of subcall function 00419350: 6FDEC6F0.COMCTL32(?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 0041936C
                                                                                      • Part of subcall function 00419350: ShowCursor.USER32(00000001,?,00000000,00414453,00000000,00414563,?,?,0049E62C), ref: 00419389
                                                                                    • SetCursor.USER32(00000000,?,?,?,?,00413F83,00000000,00413F96), ref: 004142CC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CursorDesktopWindow$Show
                                                                                    • String ID:
                                                                                    • API String ID: 2074268717-0
                                                                                    • Opcode ID: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
                                                                                    • Instruction ID: 19a59601e3d98a3dbb13d851837e3bb0d350916c882c7f1eea00ba3daa39fbf9
                                                                                    • Opcode Fuzzy Hash: 8cfee51e6bd22bc240f75105183b6b05eca44474532d8ed2e66bef73f0c2bade
                                                                                    • Instruction Fuzzy Hash: 1B414C74600161EFCB10EF6AE988B9637E1ABA5318B4588BBF414CB365D738DC81CB1D
                                                                                    Function 00408EE4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408F05
                                                                                    • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408F74
                                                                                    • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 0040900F
                                                                                    • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040904E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString$FileMessageModuleName
                                                                                    • String ID:
                                                                                    • API String ID: 704749118-0
                                                                                    • Opcode ID: 812d311920031a8e66895dbedfea53089e64aafa65463e8f60422c8f645d5955
                                                                                    • Instruction ID: ceac9c6dafe2e417819c9b5c7653bc03c0e73b1c5c8721bcefa97444966463b6
                                                                                    • Opcode Fuzzy Hash: 812d311920031a8e66895dbedfea53089e64aafa65463e8f60422c8f645d5955
                                                                                    • Instruction Fuzzy Hash: 6B3152716083819EE330EB65C945B9B77D89B86704F00483EB6C8EB2D2DBB999048767
                                                                                    Function 0044EF30 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044EF79
                                                                                      • Part of subcall function 0044D5BC: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044D5EE
                                                                                    • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EFFD
                                                                                      • Part of subcall function 0042C044: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042C058
                                                                                    • IsRectEmpty.USER32(?), ref: 0044EFBF
                                                                                    • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044EFE2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                    • String ID:
                                                                                    • API String ID: 855768636-0
                                                                                    • Opcode ID: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
                                                                                    • Instruction ID: 10a93ef1daca5ec4afac806ac6fb62918bca6b9886f72cf97470359dbd205846
                                                                                    • Opcode Fuzzy Hash: 9e5418f1d691a9325b46ebb0c0de8143c548934329e90edb6007b66489b6f05d
                                                                                    • Instruction Fuzzy Hash: F211387170030027E720BA7E9C86B5B76899B88748F04083FB545EB383DD79D80987AA
                                                                                    Function 00498790 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OffsetRect.USER32(?,?,00000000), ref: 004987F4
                                                                                    • OffsetRect.USER32(?,00000000,?), ref: 0049880F
                                                                                    • OffsetRect.USER32(?,?,00000000), ref: 00498829
                                                                                    • OffsetRect.USER32(?,00000000,?), ref: 00498844
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: OffsetRect
                                                                                    • String ID:
                                                                                    • API String ID: 177026234-0
                                                                                    • Opcode ID: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
                                                                                    • Instruction ID: 3054ac6025076f3b6e7609c5ec68807071a52c8bb3756e2ec3ebb03cdf9dd8d0
                                                                                    • Opcode Fuzzy Hash: 6336d15f36953f24f9fc14a3ec9817a63ff553bf727e99fcd033c27e753f75de
                                                                                    • Instruction Fuzzy Hash: A4213BB66042019BD700DE6DCD85E6BB7EEEBC4300F54CA2EF554C724ADA34E94487A6
                                                                                    Function 00498448 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MulDiv.KERNEL32(8B500000,00000008,?), ref: 0049845D
                                                                                    • MulDiv.KERNEL32(50142444,00000008,?), ref: 00498471
                                                                                    • MulDiv.KERNEL32(F6D0DBE8,00000008,?), ref: 00498485
                                                                                    • MulDiv.KERNEL32(8BF88BFF,00000008,?), ref: 004984A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
                                                                                    • Instruction ID: 16986aa08010ea5786b5adfb16098ff8e4cfd335a8687684758257d255a94a27
                                                                                    • Opcode Fuzzy Hash: 132935396d45b7e69a68efe33a8bbc5bdde74f5cffd31387bad91a8df47aab5f
                                                                                    • Instruction Fuzzy Hash: E6112172604214ABCB40DFADC8C4D9B7BECEF4D330B14416AF918DB246DA34ED408BA4
                                                                                    Function 0041F910 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassInfoA.USER32(00400000,0041F900,?), ref: 0041F931
                                                                                    • UnregisterClassA.USER32(0041F900,00400000), ref: 0041F95A
                                                                                    • RegisterClassA.USER32(0049C598), ref: 0041F964
                                                                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F99F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4025006896-0
                                                                                    • Opcode ID: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
                                                                                    • Instruction ID: 68e5657fabb3e6ce4c602d6ce4962bfcd13d5dfe703a8334c3f88caa16143e55
                                                                                    • Opcode Fuzzy Hash: 5f2beac9259aabfde2fa88ee50984dcdd8da4d914c3ba614155804bbda9a3f11
                                                                                    • Instruction Fuzzy Hash: 10019EB22001147BCB10EF69DC81E9B3798A719324B10413BBA05EB2E1C63AAC158BAD
                                                                                    Function 0040D4A0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D4B7
                                                                                    • LoadResource.KERNEL32(00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94,0000000A,00000000), ref: 0040D4D1
                                                                                    • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?,?,0047ED94), ref: 0040D4EB
                                                                                    • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040AC58,00400000,00000001,00000000,?,0040D414,00000000,?,00000000,?), ref: 0040D4F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                    • String ID:
                                                                                    • API String ID: 3473537107-0
                                                                                    • Opcode ID: 9bd8c699d2ce0c84cebcbedeaf10d9de5ae675f1ab96295db303bf00b8c9f240
                                                                                    • Instruction ID: 6e22508d3f73bf4cb8027158dc6397cf7561c54783b82958bb500a3598b7952a
                                                                                    • Opcode Fuzzy Hash: 9bd8c699d2ce0c84cebcbedeaf10d9de5ae675f1ab96295db303bf00b8c9f240
                                                                                    • Instruction Fuzzy Hash: 66F017736055046F9744EEADA881D6B77DCDE48364310417FF908D7246D938DD118B78
                                                                                    Function 004565CC Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000,0045C065), ref: 00456608
                                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045C03E,?,?,?,?,?,00000000), ref: 00456611
                                                                                    • RemoveFontResourceA.GDI32(00000000), ref: 0045661E
                                                                                    • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00456632
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                    • String ID:
                                                                                    • API String ID: 4283692357-0
                                                                                    • Opcode ID: 8da521f969e59b5f7bc7328e57f6e42ddb3c87a668b1972d294a8e78805fb7fa
                                                                                    • Instruction ID: 8f096fb0a68a4ca8fa6e8945f44f96b9dbd63233ba955a9cb78d2d10420d775d
                                                                                    • Opcode Fuzzy Hash: 8da521f969e59b5f7bc7328e57f6e42ddb3c87a668b1972d294a8e78805fb7fa
                                                                                    • Instruction Fuzzy Hash: A4F05EB574131076EA10B6B69D87F5B268C8F54745F50483BBA00EF2C3D97CD805566E
                                                                                    Function 00471658 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,00000000), ref: 004716A9
                                                                                    Strings
                                                                                    • Setting NTFS compression on directory: %s, xrefs: 00471677
                                                                                    • Unsetting NTFS compression on directory: %s, xrefs: 0047168F
                                                                                    • Failed to set NTFS compression state (%d)., xrefs: 004716BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                    • API String ID: 1452528299-1392080489
                                                                                    • Opcode ID: 4cef6f6a4a71dfcfdb95b2b4fcf457652783e7f00feeb96097633952fc34e028
                                                                                    • Instruction ID: 126f6134b27ad8e4671cf18fb541cded6235f59fca6c90d789c2948c6de7ddb8
                                                                                    • Opcode Fuzzy Hash: 4cef6f6a4a71dfcfdb95b2b4fcf457652783e7f00feeb96097633952fc34e028
                                                                                    • Instruction Fuzzy Hash: 9C014F30E082486BCB04DBAD54412DDBBE49F4D305F58C1EFA458E7292DA780A088BAA
                                                                                    Function 00471E04 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00471E55
                                                                                    Strings
                                                                                    • Setting NTFS compression on file: %s, xrefs: 00471E23
                                                                                    • Unsetting NTFS compression on file: %s, xrefs: 00471E3B
                                                                                    • Failed to set NTFS compression state (%d)., xrefs: 00471E66
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                    • API String ID: 1452528299-3038984924
                                                                                    • Opcode ID: 8e8a0c5cdfe0ce8b7a8857350832ba381cbecebb6f103b99e3fa8de1305063f7
                                                                                    • Instruction ID: f6184f432152a0a7fc1a05f21f829c234c5ebe7cab1ff57a01f48c4da343ccce
                                                                                    • Opcode Fuzzy Hash: 8e8a0c5cdfe0ce8b7a8857350832ba381cbecebb6f103b99e3fa8de1305063f7
                                                                                    • Instruction Fuzzy Hash: 6F01A230E0824866DB00DBED54412DDBBE58F4D344F54C1EFAC58E7392DF780A088B9A
                                                                                    Function 0047A378 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A381
                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D,?,?,?,?,?,0049BB5F,00000000,0049BB87), ref: 0047A387
                                                                                    • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3A9
                                                                                    • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,00000001,00000000,00000002,00000000,0048361D), ref: 0047A3BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                    • String ID:
                                                                                    • API String ID: 215268677-0
                                                                                    • Opcode ID: 8dd2a67b4d889372424c6c287e68b3992f48423c1d8738de50cefae9b218c63f
                                                                                    • Instruction ID: c90943684b1729c40737559502ac118c81e83100165bab7ebfc4b972d9605339
                                                                                    • Opcode Fuzzy Hash: 8dd2a67b4d889372424c6c287e68b3992f48423c1d8738de50cefae9b218c63f
                                                                                    • Instruction Fuzzy Hash: 94F037616443006BD600EAB58D81E5F73DCDB44354F04883A7E94C72C1E678DC18A776
                                                                                    Function 004246D0 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastActivePopup.USER32(?), ref: 004246DC
                                                                                    • IsWindowVisible.USER32(?), ref: 004246ED
                                                                                    • IsWindowEnabled.USER32(?), ref: 004246F7
                                                                                    • SetForegroundWindow.USER32(?), ref: 00424701
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                    • String ID:
                                                                                    • API String ID: 2280970139-0
                                                                                    • Opcode ID: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
                                                                                    • Instruction ID: 089861d4a48d175db2243411625799630e322bd2ba2e4807a6d4d74949adae11
                                                                                    • Opcode Fuzzy Hash: be5d64faa6e157b5653d3523cc15ea2db8985bb2f0094ead62a70df3ff2b4bec
                                                                                    • Instruction Fuzzy Hash: 1CE08691B03531129E31FAA518D1A9B018CEDC6B843461127FC26F7243DB1CCC0041BC
                                                                                    Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GlobalHandle.KERNEL32 ref: 00406287
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040628E
                                                                                    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00406299
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$AllocHandleLockUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 2167344118-0
                                                                                    • Opcode ID: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
                                                                                    • Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
                                                                                    • Opcode Fuzzy Hash: a3b8d3293011eaaa35143cb505ff432a4562d86b91654664e64843e7403df00d
                                                                                    • Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A
                                                                                    Function 0047C450 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047DD3D,?,00000000,00000000,00000001,00000000,0047C6ED,?,00000000), ref: 0047C6B1
                                                                                    Strings
                                                                                    • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047C525
                                                                                    • Failed to parse "reg" constant, xrefs: 0047C6B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close
                                                                                    • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                    • API String ID: 3535843008-1938159461
                                                                                    • Opcode ID: 935e8f06d3b90a9377778d70e10633401514aae47cfa6fb5b635fae62d3a5c96
                                                                                    • Instruction ID: 4f1aaac30373af7a786909edf03acd4fac9d6a039f8d9495eedf865a7040ef78
                                                                                    • Opcode Fuzzy Hash: 935e8f06d3b90a9377778d70e10633401514aae47cfa6fb5b635fae62d3a5c96
                                                                                    • Instruction Fuzzy Hash: FE813274E00118AFCB11EF95D481ADEBBF9AF48354F60816AE414B7391D738AE45CB98
                                                                                    Function 00478520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478624
                                                                                    • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00478653,?,00000000,00478664,?,00000000,004786AD), ref: 00478638
                                                                                    Strings
                                                                                    • Extracting temporary file: , xrefs: 00478560
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileTime$Local
                                                                                    • String ID: Extracting temporary file:
                                                                                    • API String ID: 791338737-4171118009
                                                                                    • Opcode ID: ff6d0d6e45294ae1f3397d9c8cd6a0b864d70e9db123996ba6897c9423e22801
                                                                                    • Instruction ID: 383de906be10c9968b5e8a45eec8df85735b502e1e4fcc0ad11d623c1d954b10
                                                                                    • Opcode Fuzzy Hash: ff6d0d6e45294ae1f3397d9c8cd6a0b864d70e9db123996ba6897c9423e22801
                                                                                    • Instruction Fuzzy Hash: FA41A670A00249AFCB01DFA5CC92EDFBBB8EB09304F51847AF914A7291D7789905CB58
                                                                                    Function 0046E1B8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Failed to proceed to next wizard page; aborting., xrefs: 0046E2D0
                                                                                    • Failed to proceed to next wizard page; showing wizard., xrefs: 0046E2E4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                    • API String ID: 0-1974262853
                                                                                    • Opcode ID: 6c0b08fdae734d3c1eb3fe3f4fe9577e29954076c18d8d916fa6dcbbbaf4cb5a
                                                                                    • Instruction ID: 70d08a633ec7b89d525ec852f300456f6342c088b46b0ce34def68a00de2c099
                                                                                    • Opcode Fuzzy Hash: 6c0b08fdae734d3c1eb3fe3f4fe9577e29954076c18d8d916fa6dcbbbaf4cb5a
                                                                                    • Instruction Fuzzy Hash: 1C31B074604240DFD711DB9AD985F9977F9AB15304F6400FBF4049B3A2E738AE84DB1A
                                                                                    Function 0047B00C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0042E2AC: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00485FB3,?,00000001,?,?,00485FB3,?,00000001,00000000), ref: 0042E2C8
                                                                                    • RegCloseKey.ADVAPI32(?,0047B0F2,?,?,00000001,00000000,00000000,0047B10D), ref: 0047B0DB
                                                                                    Strings
                                                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047B066
                                                                                    • %s\%s_is1, xrefs: 0047B084
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpen
                                                                                    • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                    • API String ID: 47109696-1598650737
                                                                                    • Opcode ID: ccea332c374502e46d5366bacc1252e6787a88e11c8e5b9c43a2cb19cba85f72
                                                                                    • Instruction ID: 72e7e3a815698905cf2a8865a6f5f2f162ab337690929d3c45f1fbd164993866
                                                                                    • Opcode Fuzzy Hash: ccea332c374502e46d5366bacc1252e6787a88e11c8e5b9c43a2cb19cba85f72
                                                                                    • Instruction Fuzzy Hash: 46214370B042545FDB01DF66C8527DEBBE8EB49704F90847AE408E7381D77899018B95
                                                                                    Function 004508A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 00450935
                                                                                    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00450966
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExecuteMessageSendShell
                                                                                    • String ID: open
                                                                                    • API String ID: 812272486-2758837156
                                                                                    • Opcode ID: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
                                                                                    • Instruction ID: 9d2ddf54ec7714fdda98ff8d0cc6f814dd21c32a1b145895e499ae4a69db9d05
                                                                                    • Opcode Fuzzy Hash: 41377852c43bddfddcae31f96e2b69fa43cefbc2a0355827ec7b6d4d68a21241
                                                                                    • Instruction Fuzzy Hash: 2F212EB4E00604AFEB10DF6AC881B9EB7F8EB44705F10857AB401F7297D6789A45CA58
                                                                                    Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlEnterCriticalSection.KERNEL32(0049E420,00000000,)), ref: 004025C7
                                                                                    • RtlLeaveCriticalSection.KERNEL32(0049E420,0040263D), ref: 00402630
                                                                                      • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                      • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049E420,0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                      • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049E420,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                      • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049E420,00401A89,00000000,00401A82,?,?,0040222E,02158000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                    • String ID: )
                                                                                    • API String ID: 2227675388-1084416617
                                                                                    • Opcode ID: 7dbb052fb751fd5d5774343fd83a230ce0bee245d9a1b11dd3e2b6497a9f202c
                                                                                    • Instruction ID: 917976a40c8b6a40365e5f884633a4dcf06f5f23cdaa1afef62ceea8ee6a87c6
                                                                                    • Opcode Fuzzy Hash: 7dbb052fb751fd5d5774343fd83a230ce0bee245d9a1b11dd3e2b6497a9f202c
                                                                                    • Instruction Fuzzy Hash: F61101317042046FEB25EB7A9F1A62A6AD4D795758B24087FF404F33D2D9FD9C02826C
                                                                                    Function 0049999A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 004999D5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window
                                                                                    • String ID: /INITPROCWND=$%x $@
                                                                                    • API String ID: 2353593579-4169826103
                                                                                    • Opcode ID: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
                                                                                    • Instruction ID: 16850a3933f6126195f36b65bc9072021203f0d8c6b6540213bbd0006db66c27
                                                                                    • Opcode Fuzzy Hash: b77a36dcc97026e4c7e84e03e5d2da815b65b232eacde215835398ce835a4be4
                                                                                    • Instruction Fuzzy Hash: 8B11AF71A042498FDB01DBA9D851BAEBBF9EB98304F50847FE804E7292D63D9D058B58
                                                                                    Function 00447904 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                      • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                    • SysFreeString.OLEAUT32(?), ref: 004479B6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$AllocByteCharFreeMultiWide
                                                                                    • String ID: NIL Interface Exception$Unknown Method
                                                                                    • API String ID: 3952431833-1023667238
                                                                                    • Opcode ID: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
                                                                                    • Instruction ID: 6ea0978f5b97d4648a43087cb94c4cadf7395b3a3abdd2f7dcac649bd3e58428
                                                                                    • Opcode Fuzzy Hash: d7c63457d166a350f53d970eb0409965f77a8d21c5a8cfae6addd8da613f3b75
                                                                                    • Instruction Fuzzy Hash: A6119371A04244AFEB10DFA58C92AAEBBACEB49704F91407EF504E7281D7789D01CB69
                                                                                    Function 0049920C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004992D4,?,004992C8,00000000,004992AF), ref: 0049927A
                                                                                    • CloseHandle.KERNEL32(00499314,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004992D4,?,004992C8,00000000), ref: 00499291
                                                                                      • Part of subcall function 00499164: GetLastError.KERNEL32(00000000,004991FC,?,?,?,?), ref: 00499188
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateErrorHandleLastProcess
                                                                                    • String ID: D
                                                                                    • API String ID: 3798668922-2746444292
                                                                                    • Opcode ID: 86b85dac4087ee307130e2d8c242437bc479552d4b9d22a109efd5679118d05b
                                                                                    • Instruction ID: 28a6660038b4d88ad00b798bd9ba61154fa8ff357054911c5ced557c69a1e98d
                                                                                    • Opcode Fuzzy Hash: 86b85dac4087ee307130e2d8c242437bc479552d4b9d22a109efd5679118d05b
                                                                                    • Instruction Fuzzy Hash: B8015EB1604248BFDB00DB96CC42A9F7BACDF49714F51447AF504E72C1D6789E048A28
                                                                                    Function 0042E1F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E208
                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042E248
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Value$EnumQuery
                                                                                    • String ID: Inno Setup: No Icons
                                                                                    • API String ID: 1576479698-2016326496
                                                                                    • Opcode ID: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
                                                                                    • Instruction ID: a539eabee655ef144818f3097a210d44f5522b7a792cb7edb349fa40b75ec101
                                                                                    • Opcode Fuzzy Hash: bd0511ca20757f211e757699c0c9aa78b94ac5dafba73a7c2283d1bafa6b3c91
                                                                                    • Instruction Fuzzy Hash: 8C01DB3178D371E9F73545637D42B7B578C9B42B60F64027BF941BA2C0DA589C04927E
                                                                                    Function 0049A6E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00455E14: GetCurrentProcess.KERNEL32(00000028), ref: 00455E23
                                                                                      • Part of subcall function 00455E14: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455E29
                                                                                    • SetForegroundWindow.USER32(?), ref: 0049A71A
                                                                                    Strings
                                                                                    • Restarting Windows., xrefs: 0049A6F7
                                                                                    • Not restarting Windows because Uninstall is being run from the debugger., xrefs: 0049A745
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentForegroundOpenTokenWindow
                                                                                    • String ID: Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.
                                                                                    • API String ID: 3179053593-4147564754
                                                                                    • Opcode ID: bb6777940c6a50ae658ff3ebc4d9c8fd61fcf05fcdd40ee010721d59e4735647
                                                                                    • Instruction ID: 5122ca49785e6841ab91457b0b89b6e488dcfd7854ae65d0270566c1c2237fbf
                                                                                    • Opcode Fuzzy Hash: bb6777940c6a50ae658ff3ebc4d9c8fd61fcf05fcdd40ee010721d59e4735647
                                                                                    • Instruction Fuzzy Hash: EA01D4746041446FEB01FBA5D842B5C2BE99B94309F50447BF400AB2D3DA7CD959875E
                                                                                    Function 0049AE88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0047F300: FreeLibrary.KERNEL32(00000000,00483DC7), ref: 0047F316
                                                                                      • Part of subcall function 0047EFD8: GetTickCount.KERNEL32 ref: 0047F022
                                                                                      • Part of subcall function 00457B24: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 00457B43
                                                                                    • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049B7DF), ref: 0049AEDD
                                                                                    • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049B7DF), ref: 0049AEE3
                                                                                    Strings
                                                                                    • Detected restart. Removing temporary directory., xrefs: 0049AE97
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                    • String ID: Detected restart. Removing temporary directory.
                                                                                    • API String ID: 1717587489-3199836293
                                                                                    • Opcode ID: 228b47364d40a631affd0c677e0885d1ddc7291000f615e4cc02e4ac91571499
                                                                                    • Instruction ID: 3c913c32d0756031035703f4f4cddf398d0ed36f6509ee9f01125c758f9cf03b
                                                                                    • Opcode Fuzzy Hash: 228b47364d40a631affd0c677e0885d1ddc7291000f615e4cc02e4ac91571499
                                                                                    • Instruction Fuzzy Hash: DAE055722082843EDE0277A6BC1382B7F8CD34532D761047BF80481852D92C4820C27E
                                                                                    Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(00000000,0049BA3A), ref: 0040334B
                                                                                    • GetCommandLineA.KERNEL32(00000000,0049BA3A), ref: 00403356
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: CommandHandleLineModule
                                                                                    • String ID: 7g
                                                                                    • API String ID: 2123368496-2816524371
                                                                                    • Opcode ID: 507b3439899aadcda4e4dd714f17469bdfd07b248e46d296d00f93cf4dba3756
                                                                                    • Instruction ID: 98797e2be282b29c5dcb55f6b27639491d6d1699e35d5459d8823e2e9957d9fe
                                                                                    • Opcode Fuzzy Hash: 507b3439899aadcda4e4dd714f17469bdfd07b248e46d296d00f93cf4dba3756
                                                                                    • Instruction Fuzzy Hash: 72C002609012159AE750EF7758467152A949751349F80447FB104BE1E1D6BD82055BDE
                                                                                    Function 00455EA4 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000001.00000002.1472106548.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000001.00000002.1472017254.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472188816.000000000049C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472224937.000000000049D000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472255755.000000000049E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                    • Associated: 00000001.00000002.1472275535.00000000004AE000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_1_2_400000_setup.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastSleep
                                                                                    • String ID:
                                                                                    • API String ID: 1458359878-0
                                                                                    • Opcode ID: c7f2754f5f195428181d0e68f952d74d60786b4247b97f8622ccdb979f61344e
                                                                                    • Instruction ID: 9465cf589d0d0c12c73eacd3b1eef521cbdc8b34a4c5067471d78d0fd9128cb0
                                                                                    • Opcode Fuzzy Hash: c7f2754f5f195428181d0e68f952d74d60786b4247b97f8622ccdb979f61344e
                                                                                    • Instruction Fuzzy Hash: 08F02B32B05A14774F20A7BB989357FA28CDE44376710512BFD04D7343D939DE4586A8

                                                                                    Execution Graph

                                                                                    Execution Coverage:2.8%
                                                                                    Dynamic/Decrypted Code Coverage:0.2%
                                                                                    Signature Coverage:0%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:181
                                                                                    execution_graph 71116 465080 71117 4650c0 __vbaObjSet 71116->71117 71119 4650eb 71117->71119 71120 465103 #690 __vbaFreeStr __vbaFreeObj 71119->71120 71121 4650f1 __vbaHresultCheckObj 71119->71121 71122 46514b 71120->71122 71121->71120 71123 32f61e7 71124 32f61fa 71123->71124 71130 32f6203 71123->71130 71126 32f622b 71124->71126 71138 32f5d57 71124->71138 71125 32f621f 71155 32f613c malloc _initterm free 71125->71155 71130->71124 71130->71125 71130->71126 71131 32f6227 71131->71124 71132 32f624b 71132->71126 71134 32f6254 71132->71134 71133 32f6243 71156 32f613c malloc _initterm free 71133->71156 71157 32f613c malloc _initterm free 71134->71157 71137 32f625c 71137->71126 71139 32f5dfa 71138->71139 71140 32f5d67 #1116 #1176 #1575 71138->71140 71141 32f5e46 71139->71141 71142 32f5e00 #1243 #1176 #1168 71139->71142 71143 32f5dae #1577 71140->71143 71144 32f5d90 #1168 71140->71144 71145 32f5e4c #6467 #1197 #1570 #1255 71141->71145 71146 32f5e76 71141->71146 71150 32f5e27 #1197 #1570 #1577 #1253 71142->71150 71151 32f5e20 71142->71151 71149 32f5de3 #1176 #1243 71143->71149 71147 32f5d9c 71144->71147 71148 32f5db5 #1182 #823 71144->71148 71145->71146 71146->71126 71146->71132 71146->71133 71147->71148 71154 32f5da7 71147->71154 71152 32f5ddc 71148->71152 71153 32f5dd2 #342 71148->71153 71149->71146 71150->71146 71151->71150 71152->71149 71153->71152 71154->71143 71155->71131 71156->71132 71157->71137 71158 32aa560 DrawTextA 71159 100c9300 #4459 71160 100c9318 SendMessageA SendMessageA #4287 71159->71160 71161 100c9312 71159->71161 71162 100ca060 71160->71162 71163 100c9364 #6197 #1614 71162->71163 71164 100c93f6 71163->71164 71165 100c938c 71163->71165 71165->71164 71166 100c93e1 SetTimer 71165->71166 71167 100c93ba 71165->71167 71166->71164 71167->71166 71168 100c93c5 SendMessageA 71167->71168 71169 32c2da0 71170 32c2dce 71169->71170 71177 32c2e63 71169->71177 71171 32c2dda #1168 GetCurrentProcessId 71170->71171 71170->71177 71179 32c5d30 71171->71179 71173 32c2e50 71175 32c2ea0 5 API calls 71173->71175 71174 32c2df8 71174->71173 71197 32c28c0 71174->71197 71204 32c2ea0 71174->71204 71175->71177 71213 32c5cd0 71179->71213 71182 32c5d4a #823 71185 32c5d79 71182->71185 71186 32c5d5b 71182->71186 71183 32c5d85 71184 32c5cd0 5 API calls 71183->71184 71187 32c5d8a 71184->71187 71185->71174 71188 32c5cd0 5 API calls 71186->71188 71189 32c5d91 #823 71187->71189 71191 32c5db7 71187->71191 71190 32c5d60 71188->71190 71189->71191 71192 32c5da2 71189->71192 71219 32c5850 GetProcAddress GetProcAddress 71190->71219 71191->71174 71220 32c5a90 GetModuleHandleA GetProcAddress GetProcAddress GetProcAddress 71192->71220 71195 32c5d6f 71195->71174 71196 32c5dae 71196->71174 71227 32c16f0 71197->71227 71199 32c2939 71199->71174 71201 32c28e3 71201->71199 71202 32c291d #800 71201->71202 71203 32c2950 #800 71201->71203 71233 32c5320 #535 71201->71233 71202->71199 71202->71201 71203->71199 71205 32c2ec8 71204->71205 71208 32c2f03 71204->71208 71205->71208 71711 32bd530 71205->71711 71208->71174 71209 32c2f8a VirtualQuery VirtualProtect 71209->71208 71211 32c2fb5 VirtualProtect 71209->71211 71210 32c2f27 71210->71208 71210->71209 71212 32c2fdb 71211->71212 71212->71174 71214 32c5cdc 71213->71214 71215 32c5cfa 71213->71215 71221 32c5c80 LoadLibraryA 71214->71221 71215->71182 71215->71183 71219->71195 71220->71196 71222 32c5cc6 71221->71222 71223 32c5ca0 GetModuleHandleA 71221->71223 71226 32f5f64 _onexit __dllonexit 71222->71226 71223->71222 71224 32c5caf GetProcAddress 71223->71224 71224->71222 71225 32c5cbf 71224->71225 71225->71222 71226->71215 71228 32c1747 71227->71228 71229 32c170f #823 71227->71229 71228->71201 71229->71228 71230 32c172c 71229->71230 71234 32c0ed0 71230->71234 71233->71201 71262 32bd510 InitializeCriticalSection 71234->71262 71236 32c0f20 #823 71237 32c0f5c 71236->71237 71238 32c0f64 #823 71236->71238 71624 32c5e60 111 API calls 71237->71624 71241 32c0f8d 71238->71241 71242 32c0f86 71238->71242 71263 32d1c70 #823 71241->71263 71625 32c0290 #397 71242->71625 71262->71236 71264 32d1caf 71263->71264 71265 32d1ca3 71263->71265 71626 32d2e20 #537 #4204 #912 71264->71626 71641 32d1bd0 #290 71265->71641 71268 32d1cc7 #823 71269 32d1ced 71268->71269 71270 32d1ce1 71268->71270 71272 32d2e20 5 API calls 71269->71272 71642 32d1bd0 #290 71270->71642 71273 32d1d02 71272->71273 71630 32d2d90 71273->71630 71276 32d2d90 12 API calls 71277 32d1d24 #823 71276->71277 71278 32d1d4a 71277->71278 71279 32d1d3e 71277->71279 71281 32d2e20 5 API calls 71278->71281 71643 32d1bd0 #290 71279->71643 71282 32d1d5f #823 71281->71282 71283 32d1d79 71282->71283 71284 32d1d85 71282->71284 71644 32d1bd0 #290 71283->71644 71286 32d2e20 5 API calls 71284->71286 71287 32d1d9a #823 71286->71287 71288 32d1db4 71287->71288 71289 32d1dc0 71287->71289 71645 32d1bd0 #290 71288->71645 71291 32d2e20 5 API calls 71289->71291 71292 32d1dd5 71291->71292 71293 32d2d90 12 API calls 71292->71293 71294 32d1de6 #823 71293->71294 71295 32d1e0c 71294->71295 71296 32d1e00 71294->71296 71298 32d2e20 5 API calls 71295->71298 71646 32d1bd0 #290 71296->71646 71299 32d1e21 71298->71299 71300 32d2d90 12 API calls 71299->71300 71301 32d1e32 #823 71300->71301 71302 32d1e4c 71301->71302 71303 32d1e58 71301->71303 71647 32d1bd0 #290 71302->71647 71305 32d2e20 5 API calls 71303->71305 71306 32d1e6d #823 71305->71306 71307 32d1e93 71306->71307 71308 32d1e87 71306->71308 71310 32d2e20 5 API calls 71307->71310 71648 32d1bd0 #290 71308->71648 71311 32d1ea8 #823 71310->71311 71312 32d1ece 71311->71312 71313 32d1ec2 71311->71313 71315 32d2e20 5 API calls 71312->71315 71649 32d1bd0 #290 71313->71649 71316 32d1ee3 #823 71315->71316 71317 32d1efd 71316->71317 71318 32d1f09 71316->71318 71650 32d1bd0 #290 71317->71650 71320 32d2e20 5 API calls 71318->71320 71321 32d1f1e #823 71320->71321 71322 32d1f38 71321->71322 71323 32d1f44 71321->71323 71651 32d1bd0 #290 71322->71651 71325 32d2e20 5 API calls 71323->71325 71326 32d1f59 #823 71325->71326 71327 32d1f7f 71326->71327 71328 32d1f73 71326->71328 71330 32d2e20 5 API calls 71327->71330 71652 32d1bd0 #290 71328->71652 71331 32d1f94 #823 71330->71331 71332 32d1fba 71331->71332 71333 32d1fae 71331->71333 71335 32d2e20 5 API calls 71332->71335 71653 32d1bd0 #290 71333->71653 71336 32d1fcf #823 71335->71336 71337 32d1fe9 71336->71337 71338 32d1ff5 71336->71338 71654 32d1bd0 #290 71337->71654 71340 32d2e20 5 API calls 71338->71340 71341 32d200a #823 71340->71341 71342 32d2024 71341->71342 71343 32d2030 71341->71343 71655 32d1bd0 #290 71342->71655 71345 32d2e20 5 API calls 71343->71345 71346 32d2045 #823 71345->71346 71347 32d206b 71346->71347 71348 32d205f 71346->71348 71350 32d2e20 5 API calls 71347->71350 71656 32d1bd0 #290 71348->71656 71351 32d2080 #823 71350->71351 71352 32d20a6 71351->71352 71353 32d209a 71351->71353 71355 32d2e20 5 API calls 71352->71355 71657 32d1bd0 #290 71353->71657 71356 32d20bb 71355->71356 71357 32d2d90 12 API calls 71356->71357 71358 32d20cc 71357->71358 71359 32d2d90 12 API calls 71358->71359 71360 32d20dd 71359->71360 71361 32d2d90 12 API calls 71360->71361 71362 32d20ee 71361->71362 71363 32d2d90 12 API calls 71362->71363 71364 32d20ff 71363->71364 71365 32d2d90 12 API calls 71364->71365 71366 32d2110 71365->71366 71367 32d2d90 12 API calls 71366->71367 71368 32d2121 71367->71368 71369 32d2d90 12 API calls 71368->71369 71370 32d2132 71369->71370 71371 32d2d90 12 API calls 71370->71371 71372 32d2143 71371->71372 71373 32d2d90 12 API calls 71372->71373 71374 32d2154 71373->71374 71375 32d2d90 12 API calls 71374->71375 71376 32d2165 71375->71376 71377 32d2d90 12 API calls 71376->71377 71378 32d2176 71377->71378 71379 32d2d90 12 API calls 71378->71379 71380 32d2187 71379->71380 71381 32d2d90 12 API calls 71380->71381 71382 32d2198 71381->71382 71383 32d2d90 12 API calls 71382->71383 71384 32d21a9 71383->71384 71385 32d2d90 12 API calls 71384->71385 71386 32d21ba 71385->71386 71387 32d2d90 12 API calls 71386->71387 71388 32d21cb #823 71387->71388 71389 32d21ed 71388->71389 71390 32d21e5 71388->71390 71392 32d2e20 5 API calls 71389->71392 71658 32d1bd0 #290 71390->71658 71393 32d2202 #823 71392->71393 71394 32d221c 71393->71394 71395 32d2224 71393->71395 71659 32d1bd0 #290 71394->71659 71397 32d2e20 5 API calls 71395->71397 71398 32d223a #823 71397->71398 71399 32d2262 71398->71399 71400 32d2256 71398->71400 71402 32d2e20 5 API calls 71399->71402 71660 32d1bd0 #290 71400->71660 71403 32d2287 #823 71402->71403 71404 32d22af 71403->71404 71405 32d22a3 71403->71405 71407 32d2e20 5 API calls 71404->71407 71661 32d1bd0 #290 71405->71661 71408 32d22d0 #823 71407->71408 71409 32d22ec 71408->71409 71410 32d22f8 71408->71410 71662 32d1bd0 #290 71409->71662 71412 32d2e20 5 API calls 71410->71412 71413 32d2319 #823 71412->71413 71414 32d2341 71413->71414 71415 32d2335 71413->71415 71417 32d2e20 5 API calls 71414->71417 71663 32d1bd0 #290 71415->71663 71418 32d2362 #823 71417->71418 71419 32d237e 71418->71419 71420 32d238a 71418->71420 71664 32d1bd0 #290 71419->71664 71422 32d2e20 5 API calls 71420->71422 71423 32d23ab #823 71422->71423 71424 32d23c7 71423->71424 71425 32d23d3 71423->71425 71665 32d1bd0 #290 71424->71665 71427 32d2e20 5 API calls 71425->71427 71624->71238 71625->71241 71627 32d2e76 InterlockedIncrement 71626->71627 71628 32d2e71 71626->71628 71629 32d2e80 #800 71627->71629 71628->71629 71629->71268 71700 32d2fd0 #537 #4204 #4188 71630->71700 71632 32d2db3 71633 32d1d13 71632->71633 71634 32d2dd2 #823 71632->71634 71635 32d2dc4 71632->71635 71633->71276 71636 32d2dec 71634->71636 71639 32d2dcc 71634->71639 71637 32d2fd0 5 API calls 71635->71637 71703 32d1bd0 #290 71636->71703 71637->71639 71639->71633 71640 32d2e20 5 API calls 71639->71640 71640->71633 71641->71264 71642->71269 71643->71278 71644->71284 71645->71289 71646->71295 71647->71303 71648->71307 71649->71312 71650->71318 71651->71323 71652->71327 71653->71332 71654->71338 71655->71343 71656->71347 71657->71352 71658->71389 71659->71395 71660->71399 71661->71404 71662->71410 71663->71414 71664->71420 71665->71425 71701 32d301d #800 71700->71701 71702 32d3042 #800 71700->71702 71701->71632 71702->71632 71703->71639 71714 32bd560 EnterCriticalSection 71711->71714 71713 32bd53e ImageDirectoryEntryToData 71713->71208 71713->71210 71714->71713 71715 32c64a0 71716 32c64ce 6 API calls 71715->71716 71717 32c657b #6876 #6876 #823 71715->71717 71718 32c65dd #800 71716->71718 71719 32c6531 71716->71719 71723 32c65ac 71717->71723 71719->71718 71720 32c6539 #823 71719->71720 71722 32c6550 71720->71722 71743 32bf330 260 API calls 71722->71743 71730 32bf3d0 71723->71730 71724 32c65cd 71725 32c6604 #800 71724->71725 71726 32c65d1 71724->71726 71726->71718 71728 32c656d 71728->71725 71729 32c6575 71728->71729 71729->71718 71729->71726 71731 32bf3e9 71730->71731 71732 32bf3e0 71730->71732 71744 32be7d0 71731->71744 71732->71724 71734 32bf40a 71735 32bf413 71734->71735 71736 32c16f0 111 API calls 71734->71736 71740 32bf44b 71734->71740 71735->71724 71738 32bf429 71736->71738 71738->71740 71771 32adf00 71738->71771 71739 32bf465 71739->71724 71786 32c0210 GetObjectA 71740->71786 71742 32bf43c DeleteObject 71742->71740 71743->71728 71787 32ab980 FindResourceA LoadResource LockResource 71744->71787 71746 32be7fb 71747 32be802 71746->71747 71748 32be824 FindResourceA 71746->71748 71788 32aba30 120 API calls 71747->71788 71749 32be847 LoadResource 71748->71749 71750 32be834 71748->71750 71752 32be853 71749->71752 71753 32be866 LockResource 71749->71753 71750->71734 71752->71734 71755 32be873 71753->71755 71756 32be886 SizeofResource 71753->71756 71754 32be80e 71754->71734 71755->71734 71757 32be8cf #323 CreateCompatibleDC #1640 71756->71757 71758 32be9d2 71756->71758 71759 32be8fd malloc 71757->71759 71760 32be9a0 71757->71760 71758->71734 71761 32be910 #640 71759->71761 71762 32be936 CreateDIBSection 71759->71762 71789 32be6c0 malloc CreatePalette free 71760->71789 71761->71734 71765 32be971 71762->71765 71766 32be990 free 71762->71766 71764 32be9a6 71790 32be760 GetDC SelectPalette CreateDIBitmap SelectPalette ReleaseDC 71764->71790 71765->71766 71768 32be9c1 #640 71766->71768 71768->71758 71769 32be9af 71769->71768 71770 32be9ba DeleteObject 71769->71770 71770->71768 71772 32adf2a 71771->71772 71773 32adf2c #323 CreateCompatibleDC #1640 #268 71771->71773 71772->71773 71791 32ae150 71773->71791 71775 32adf75 71776 32adf7c #1567 #640 71775->71776 71777 32adfa7 CreateDIBSection 71775->71777 71776->71742 71778 32adfd2 71777->71778 71779 32adfd6 #1265 71777->71779 71778->71779 71783 32adfdb #1567 71778->71783 71779->71783 71781 32ae10a 71784 32ae11e #640 71781->71784 71785 32ae111 free 71781->71785 71782 32ae0fd free 71782->71781 71783->71781 71783->71782 71784->71742 71785->71784 71786->71739 71787->71746 71788->71754 71789->71764 71790->71769 71792 32ae169 GetDIBits 71791->71792 71793 32ae15f 71791->71793 71795 32ae1aa 71792->71795 71796 32ae1a2 71792->71796 71793->71775 71797 32ae1bc malloc 71795->71797 71798 32ae1b2 71795->71798 71796->71775 71799 32ae1ec malloc 71797->71799 71800 32ae1e4 71797->71800 71798->71775 71801 32ae1fe 71799->71801 71804 32ae21e GetDIBits 71799->71804 71800->71775 71802 32ae214 71801->71802 71803 32ae204 free 71801->71803 71802->71775 71803->71802 71806 32ae28c 71804->71806 71807 32ae256 71804->71807 71806->71775 71808 32ae26e 71807->71808 71809 32ae262 free 71807->71809 71810 32ae282 71808->71810 71811 32ae275 free 71808->71811 71809->71808 71810->71775 71811->71810 71812 32d4520 71822 32d41c0 #3797 71812->71822 71814 32d452c 71815 32d456b 71823 32d6d20 71815->71823 71816 32d4528 71816->71814 71816->71815 71819 32d4554 #2859 71816->71819 71818 32d457e 71840 32d3600 100 API calls 71819->71840 71821 32d4562 71822->71816 71824 32d6d56 _mbscmp 71823->71824 71828 32d6d36 71823->71828 71825 32d6d6c 71824->71825 71826 32d6d73 71824->71826 71825->71818 71827 32d6dea 71826->71827 71829 32d6d83 71826->71829 71842 32d0cb0 75 API calls 71827->71842 71828->71824 71832 32d6dd0 71828->71832 71833 32d6d92 #3884 71829->71833 71831 32d6df3 SetBkColor 71843 32d0cb0 75 API calls 71831->71843 71832->71818 71833->71832 71835 32d6dab 71833->71835 71841 32e1d30 322 API calls 71835->71841 71836 32d6e0a SetTextColor 71838 32d6e1b 71836->71838 71838->71818 71839 32d6dbe 71839->71818 71840->71821 71841->71839 71842->71831 71843->71836 71844 32d7a60 71847 32a16b0 71844->71847 71846 32d7a68 PostMessageA 71847->71846 71848 32d0fa0 GetWindowThreadProcessId 71849 32d0fbe GetCurrentProcessId 71848->71849 71850 32d0fd7 71848->71850 71849->71850 71851 32d0fca PostMessageA 71849->71851 71851->71850 71852 32f5020 #2414 71853 32f5059 71852->71853 71854 32f5051 71852->71854 71865 32f49d0 71853->71865 71856 32f5078 71857 32f507f 71856->71857 71860 32f509b 71856->71860 71858 32f5087 free 71857->71858 71859 32f50a3 71857->71859 71860->71859 71904 32f4da0 CreateDIBSection 71860->71904 71863 32f50d8 71864 32f50e2 #1641 71866 32f4a08 71865->71866 71867 32f4a1d 71865->71867 71866->71856 71868 32f4a3c 71867->71868 71906 32e5370 71867->71906 71868->71856 71871 32f4a6a 71871->71856 71873 32f4a85 71874 32f4a8f 71873->71874 71875 32f4ab2 #268 71873->71875 71986 32e6170 malloc free free 71874->71986 71916 32e6520 71875->71916 71878 32f4a9a 71878->71856 71883 32f4ae8 71966 32e4fa0 71883->71966 71885 32f4b08 71887 32f4bac 71885->71887 71987 32e6580 fprintf fprintf fprintf 71885->71987 71979 32e5970 71887->71979 71889 32f4c0b 71890 32e4fa0 7 API calls 71889->71890 71891 32f4c25 71890->71891 71892 32f4c58 free 71891->71892 71893 32f4c62 malloc 71891->71893 71892->71893 71894 32f4c79 #1262 71893->71894 71895 32f4c83 malloc 71893->71895 71894->71895 71896 32f4c99 #1262 71895->71896 71897 32f4ca3 71895->71897 71896->71897 71988 32e5e60 52 API calls 71897->71988 71899 32f4d0a 71989 32e5ec0 28 API calls 71899->71989 71901 32f4d15 free #1567 71990 32e6170 malloc free free 71901->71990 71903 32f4d3a 71903->71856 71905 32f4e05 free 71904->71905 71905->71863 71905->71864 71991 32e53a0 71906->71991 71908 32e538f 71908->71871 71909 32e4620 71908->71909 71910 32e4628 71909->71910 71911 32e4629 71909->71911 71910->71873 72050 32e50f0 malloc 71911->72050 71913 32e463e 71914 32e4658 71913->71914 72051 32e4660 malloc free 71913->72051 71914->71873 71917 32e6534 71916->71917 71918 32e6564 71917->71918 72052 32e4c00 fprintf fprintf fprintf 71917->72052 71922 32e4460 71918->71922 71920 32e6559 72053 32e4c00 fprintf fprintf fprintf 71920->72053 71923 32e446f 71922->71923 71924 32e447a 71922->71924 72054 32e4b40 fprintf fprintf fprintf longjmp 71923->72054 71926 32e55d0 71924->71926 71927 32e55e7 71926->71927 71963 32e5645 71926->71963 72055 32e64b0 fprintf fprintf fprintf longjmp 71927->72055 71933 32e5600 71933->71963 72056 32e4b40 fprintf fprintf fprintf longjmp 71933->72056 71936 32ed0f0 11 API calls 71936->71963 71939 32e5959 71939->71883 71942 32e58f9 71944 32e5913 71942->71944 71945 32e5900 71942->71945 71943 32e5933 71943->71939 72081 32e4b40 fprintf fprintf fprintf longjmp 71943->72081 71944->71939 72080 32e4b40 fprintf fprintf fprintf longjmp 71944->72080 72079 32e4b40 fprintf fprintf fprintf longjmp 71945->72079 71950 32e590b 71950->71883 71954 32e592b 71954->71883 71957 32e5760 71957->71963 72064 32eb730 18 API calls 71957->72064 72065 32eb450 10 API calls 71957->72065 72072 32ebbd0 18 API calls 71957->72072 71963->71936 71963->71942 71963->71943 71963->71957 72057 32e64b0 fprintf fprintf fprintf longjmp 71963->72057 72058 32eab30 fprintf fprintf fprintf longjmp 71963->72058 72059 32eabb0 fprintf fprintf fprintf longjmp 71963->72059 72060 32eb0d0 8 API calls 71963->72060 72061 32eb400 8 API calls 71963->72061 72062 32eb260 10 API calls 71963->72062 72063 32ec400 8 API calls 71963->72063 72066 32ec600 10 API calls 71963->72066 72067 32ec850 8 API calls 71963->72067 72068 32ec940 10 API calls 71963->72068 72069 32ecbb0 12 API calls 71963->72069 72070 32ec760 8 API calls 71963->72070 72071 32eb5b0 8 API calls 71963->72071 72073 32ebdd0 12 API calls 71963->72073 72074 32ebf90 10 API calls 71963->72074 72075 32ece70 10 API calls 71963->72075 72076 32ecd80 8 API calls 71963->72076 72077 32ec1d0 10 API calls 71963->72077 72078 32ecf90 12 API calls 71963->72078 71967 32e50c6 71966->71967 71968 32e4fb0 71966->71968 71967->71885 71968->71967 71970 32e5013 71968->71970 72082 32e4b40 fprintf fprintf fprintf longjmp 71968->72082 71972 32e5033 71970->71972 72083 32e4b40 fprintf fprintf fprintf longjmp 71970->72083 71973 32e507f 71972->71973 72084 32e4b40 fprintf fprintf fprintf longjmp 71972->72084 71976 32e509f 71973->71976 72085 32e4b40 fprintf fprintf fprintf longjmp 71973->72085 71977 32e50b9 71976->71977 72086 32e4c00 fprintf fprintf fprintf 71976->72086 71977->71885 71980 32e597b 71979->71980 71981 32e5994 71979->71981 72087 32edf20 47 API calls 71980->72087 72088 32e4c00 fprintf fprintf fprintf 71981->72088 71984 32e599f 71984->71889 71985 32e5981 71985->71889 71986->71878 71987->71887 71988->71899 71989->71901 71990->71903 72036 32e50f0 malloc 71991->72036 71993 32e53b8 71994 32e53c4 71993->71994 71995 32e53d1 _setjmp3 71993->71995 71994->71908 71996 32e53f1 71995->71996 72000 32e5425 71995->72000 72020 32e5250 71996->72020 72002 32e54f3 72000->72002 72006 32e5467 72000->72006 72001 32e5419 72001->71908 72029 32e51e0 72002->72029 72004 32e54ab sprintf 72037 32e4c00 fprintf fprintf fprintf 72004->72037 72005 32e54c4 sprintf 72038 32e4c00 fprintf fprintf fprintf 72005->72038 72006->72000 72006->72002 72006->72004 72006->72005 72009 32e54de 72039 32e4b40 fprintf fprintf fprintf longjmp 72009->72039 72010 32e54c1 72010->72005 72012 32e5508 72014 32e5563 72012->72014 72040 32e4b40 fprintf fprintf fprintf longjmp 72012->72040 72013 32e54f0 72013->72002 72015 32e6520 3 API calls 72014->72015 72017 32e5588 _setjmp3 72015->72017 72018 32e559d 72017->72018 72019 32e5597 abort 72017->72019 72018->71908 72019->72018 72021 32e5258 72020->72021 72022 32e526c 72020->72022 72021->72022 72041 32e5280 72021->72041 72024 32e5190 72022->72024 72025 32e519e 72024->72025 72026 32e51d3 72024->72026 72027 32e51c9 free 72025->72027 72028 32e51a9 72025->72028 72026->72001 72027->72026 72028->72001 72030 32e522c 72029->72030 72031 32e51e9 72029->72031 72030->72012 72031->72030 72033 32e51fe 72031->72033 72045 32e5230 72031->72045 72035 32e5224 72033->72035 72049 32e4b40 fprintf fprintf fprintf longjmp 72033->72049 72035->72012 72036->71993 72037->72010 72038->72009 72039->72013 72040->72014 72042 32e5298 72041->72042 72043 32e5288 72041->72043 72042->72022 72043->72042 72044 32e5290 free 72043->72044 72044->72042 72046 32e524b 72045->72046 72047 32e5238 72045->72047 72046->72033 72047->72046 72048 32e5240 malloc 72047->72048 72048->72033 72049->72035 72050->71913 72051->71914 72052->71920 72053->71918 72054->71924 72055->71933 72056->71963 72057->71963 72058->71963 72059->71963 72060->71963 72061->71963 72062->71963 72063->71963 72064->71957 72065->71957 72066->71963 72067->71963 72068->71963 72069->71963 72070->71963 72071->71963 72072->71957 72073->71963 72074->71963 72075->71963 72076->71963 72077->71963 72078->71963 72079->71950 72080->71954 72081->71939 72082->71970 72083->71972 72084->71973 72085->71976 72086->71977 72087->71985 72088->71984 72089 32f5e7e 72090 32f5eb5 72089->72090 72091 32f5e85 LocalAlloc 72089->72091 72092 32f5ec9 72090->72092 72094 32f5ebc #1176 #1243 72090->72094 72091->72092 72093 32f5e96 LocalFree #1176 #1243 72091->72093 72093->72092 72094->72092 72095 403814 72096 403817 #100 72095->72096 72097 403853 72096->72097 72097->72096 72098 403920 72097->72098 72099 32c5930 72100 32c593b 72099->72100 72101 32c5942 OpenProcess 72099->72101 72102 32c595e K32GetModuleInformation 72101->72102 72103 32c5959 72101->72103 72104 32c5980 CloseHandle 72102->72104 72105 32c5973 CloseHandle 72102->72105 72106 32c3cf0 72115 32c2bd0 72106->72115 72108 32c3cfb 72109 32c3d04 DefWindowProcA 72108->72109 72110 32c3d25 72108->72110 72111 32c27b0 12 API calls 72110->72111 72112 32c3d50 72111->72112 72118 32c3a80 72112->72118 72114 32c3d57 72116 32c27b0 12 API calls 72115->72116 72117 32c2bda 72116->72117 72117->72108 72119 32c16f0 111 API calls 72118->72119 72120 32c3a8b 72119->72120 72121 32c3ad6 72120->72121 72137 32d1090 72120->72137 72121->72114 72123 32c3aa0 72123->72121 72140 32d19e0 EnterCriticalSection 72123->72140 72125 32c3ab4 72125->72121 72126 32c3ae1 72125->72126 72128 32c3acb 72125->72128 72127 32c3b1c #1176 72126->72127 72132 32c3af8 72126->72132 72143 32d17f0 EnterCriticalSection InterlockedIncrement #2107 72127->72143 72141 32d15d0 7 API calls 72128->72141 72131 32c3b6a 72144 32d1910 EnterCriticalSection #2841 #4021 72131->72144 72142 32c3880 20 API calls 72132->72142 72135 32c3b02 72135->72121 72135->72127 72136 32c3b8c 72136->72114 72138 32bd530 EnterCriticalSection 72137->72138 72139 32d10b6 72138->72139 72139->72123 72140->72125 72141->72121 72142->72135 72143->72131 72144->72136 72145 32d1130 72146 32d113d 72145->72146 72147 32d11a2 72145->72147 72146->72147 72148 32c16f0 111 API calls 72146->72148 72149 32d114a 72148->72149 72149->72147 72150 32c16f0 111 API calls 72149->72150 72151 32d1155 72150->72151 72151->72147 72152 32c16f0 111 API calls 72151->72152 72153 32d1166 72152->72153 72154 32d1090 EnterCriticalSection 72153->72154 72155 32d116d 72154->72155 72155->72147 72156 32d1173 IsWindow 72155->72156 72156->72147 72157 32d117e #3797 72156->72157 72157->72147 72158 32d118c SetTimer 72157->72158 72158->72147 72159 32d0ff0 EnumWindows 72161 32d100c 72159->72161 72163 32d1087 72159->72163 72160 32d1054 IsWindow 72160->72161 72161->72160 72161->72163 72164 32d15c0 7 API calls 72161->72164 72164->72161 72165 100eb6ad 72166 100eb6c0 72165->72166 72169 100eb6c9 72165->72169 72174 100eb6f1 72166->72174 72175 100eb217 72166->72175 72169->72166 72169->72174 72192 100eb602 72169->72192 72171 100eb711 72172 100eb602 3 API calls 72171->72172 72171->72174 72172->72174 72173 100eb602 3 API calls 72173->72171 72176 100eb2ba 72175->72176 72177 100eb227 #1116 #1176 #1575 72175->72177 72178 100eb306 72176->72178 72179 100eb2c0 #1243 #1176 #1168 72176->72179 72180 100eb26e #1577 72177->72180 72181 100eb250 #1168 72177->72181 72185 100eb30c #6467 #1197 #1570 #1255 72178->72185 72188 100eb336 72178->72188 72183 100eb2e7 #1197 #1570 #1577 #1253 72179->72183 72184 100eb2e0 72179->72184 72182 100eb2a3 #1176 #1243 72180->72182 72186 100eb25c 72181->72186 72187 100eb275 #1182 #823 72181->72187 72182->72188 72183->72188 72184->72183 72185->72188 72186->72187 72191 100eb267 72186->72191 72189 100eb29c 72187->72189 72190 100eb292 #342 72187->72190 72188->72171 72188->72173 72188->72174 72189->72182 72190->72189 72191->72180 72193 100eb60a 72192->72193 72194 100eb62b malloc 72193->72194 72196 100eb640 72193->72196 72198 100eb66a 72193->72198 72195 100eb644 _initterm 72194->72195 72194->72196 72195->72196 72196->72166 72197 100eb697 free 72197->72196 72198->72196 72198->72197 72199 47eee0 72200 47ef23 __vbaCastObj __vbaObjSet 72199->72200 72201 47ef84 __vbaFreeObj __vbaStrCat __vbaStrMove 72200->72201 72202 47efaf 72201->72202 72203 47efb5 __vbaHresultCheckObj 72202->72203 72204 47efc4 __vbaFreeStr 72202->72204 72203->72204 72205 47efe6 72204->72205 72206 47efd6 __vbaNew2 72204->72206 72207 47effc __vbaHresultCheckObj 72205->72207 72208 47f00b 72205->72208 72206->72205 72207->72208 72209 47f020 __vbaHresultCheckObj 72208->72209 72210 47f02f __vbaStrCat __vbaStrMove 72208->72210 72209->72210 72389 47dcd0 9 API calls 72210->72389 72212 47f04f __vbaFreeStrList __vbaFreeObj 72213 47f07f 72212->72213 72214 47f24e __vbaObjSet 72212->72214 72215 47f098 72213->72215 72216 47f088 __vbaNew2 72213->72216 72220 47f26b 72214->72220 72217 47f0c5 72215->72217 72218 47f0b5 __vbaNew2 72215->72218 72216->72215 72221 47f0f5 72217->72221 72222 47f0e0 __vbaHresultCheckObj 72217->72222 72218->72217 72223 47f271 __vbaHresultCheckObj 72220->72223 72224 47f280 __vbaFreeObj 72220->72224 72226 47f123 __vbaStrCat 72221->72226 72227 47f10e __vbaHresultCheckObj 72221->72227 72222->72221 72223->72224 72225 47f292 __vbaObjSet 72224->72225 72228 47f2a6 72225->72228 72229 47f1e1 72226->72229 72227->72226 72230 47f2ac __vbaHresultCheckObj 72228->72230 72231 47f2bb __vbaFreeObj 72228->72231 72232 47f1e7 __vbaHresultCheckObj 72229->72232 72233 47f1f6 __vbaObjSet 72229->72233 72230->72231 72234 47f2cd __vbaObjSet 72231->72234 72232->72233 72235 47f211 72233->72235 72238 47f2e3 __vbaObjSet 72234->72238 72236 47f217 __vbaHresultCheckObj 72235->72236 72237 47f229 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 72235->72237 72236->72237 72237->72214 72239 47f2f9 72238->72239 72240 47f2ff __vbaHresultCheckObj 72239->72240 72241 47f30e 72239->72241 72240->72241 72242 480468 72241->72242 72243 47f33a __vbaHresultCheckObj 72241->72243 72244 47f349 __vbaFreeObjList 72241->72244 72242->72242 72243->72244 72245 47f365 __vbaObjSet 72244->72245 72246 47f37b __vbaObjSet 72245->72246 72247 47f391 72246->72247 72248 47f397 __vbaHresultCheckObj 72247->72248 72249 47f3a6 72247->72249 72248->72249 72249->72242 72250 47f3d2 __vbaHresultCheckObj 72249->72250 72251 47f3e1 __vbaFreeObjList 72249->72251 72250->72251 72252 47f3fd __vbaObjSet 72251->72252 72253 47f413 __vbaObjSet 72252->72253 72254 47f42c 72253->72254 72255 47f444 72254->72255 72256 47f432 __vbaHresultCheckObj 72254->72256 72257 47f472 __vbaFreeObjList 72255->72257 72258 47f460 __vbaHresultCheckObj 72255->72258 72256->72255 72259 47f48e __vbaObjSet 72257->72259 72258->72257 72260 47f4a4 __vbaObjSet 72259->72260 72261 47f4bd 72260->72261 72262 47f4d5 72261->72262 72263 47f4c3 __vbaHresultCheckObj 72261->72263 72264 47f503 __vbaFreeObjList 72262->72264 72265 47f4f1 __vbaHresultCheckObj 72262->72265 72263->72262 72266 47f51f __vbaObjSet 72264->72266 72265->72264 72267 47f533 72266->72267 72268 47f54b __vbaFreeObj 72267->72268 72269 47f539 __vbaHresultCheckObj 72267->72269 72270 47f55d __vbaObjSet 72268->72270 72269->72268 72271 47f571 72270->72271 72272 47f577 __vbaHresultCheckObj 72271->72272 72273 47f589 __vbaFreeObj 72271->72273 72272->72273 72274 47f59b __vbaObjSet 72273->72274 72275 47f5af 72274->72275 72276 47f5c7 __vbaFreeObj 72275->72276 72277 47f5b5 __vbaHresultCheckObj 72275->72277 72278 47f5e9 72276->72278 72279 47f5d9 __vbaNew2 72276->72279 72277->72276 72280 47f5ff __vbaHresultCheckObj 72278->72280 72281 47f60e 72278->72281 72279->72278 72280->72281 72282 47f623 __vbaHresultCheckObj 72281->72282 72283 47f632 __vbaStrCat __vbaStrMove __vbaFreeStr __vbaFreeObj 72281->72283 72282->72283 72284 47dcd0 14 API calls 72283->72284 72285 47f667 72284->72285 72286 47f671 72285->72286 72287 47ff48 72285->72287 72288 47f68a 72286->72288 72289 47f67a __vbaNew2 72286->72289 72290 47ff52 __vbaNew2 72287->72290 72291 47ff68 72287->72291 72294 47f6a0 __vbaHresultCheckObj 72288->72294 72295 47f6af 72288->72295 72289->72288 72290->72291 72292 47ff72 __vbaNew2 72291->72292 72293 47ff88 72291->72293 72292->72293 72296 47ffb0 72293->72296 72297 47ff9e __vbaHresultCheckObj 72293->72297 72294->72295 72298 47f6c4 __vbaHresultCheckObj 72295->72298 72299 47f6d3 72295->72299 72296->72242 72302 47fff1 72296->72302 72303 47ffdf __vbaHresultCheckObj 72296->72303 72297->72296 72298->72299 72300 47f6ec 72299->72300 72301 47f6dc __vbaNew2 72299->72301 72306 47f702 __vbaHresultCheckObj 72300->72306 72307 47f711 72300->72307 72301->72300 72304 48000a 72302->72304 72305 47fffa __vbaNew2 72302->72305 72303->72302 72308 48002f 72304->72308 72309 480020 __vbaHresultCheckObj 72304->72309 72305->72304 72306->72307 72310 47f726 __vbaHresultCheckObj 72307->72310 72311 47f735 7 API calls 72307->72311 72314 480053 72308->72314 72315 480044 __vbaHresultCheckObj 72308->72315 72309->72308 72310->72311 72312 47dcd0 14 API calls 72311->72312 72313 47f792 __vbaFreeStrList __vbaFreeObjList __vbaFreeVar 72312->72313 72316 47f7de __vbaObjSet __vbaLateIdSt __vbaFreeObj 72313->72316 72317 47fa7d __vbaObjSet 72313->72317 72318 48006c 72314->72318 72319 48005c __vbaNew2 72314->72319 72315->72314 72326 47f832 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72316->72326 72322 47faac 72317->72322 72323 47fa9c __vbaNew2 72317->72323 72324 480091 72318->72324 72325 480082 __vbaHresultCheckObj 72318->72325 72319->72318 72330 47fb74 __vbaHresultCheckObj 72322->72330 72331 47fb83 __vbaObjSet 72322->72331 72323->72322 72328 4800b5 7 API calls 72324->72328 72329 4800a6 __vbaHresultCheckObj 72324->72329 72325->72324 72326->72242 72327 47f864 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72326->72327 72338 47f8c3 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72327->72338 72332 47dcd0 14 API calls 72328->72332 72329->72328 72330->72331 72334 47fbb3 72331->72334 72335 480112 __vbaFreeStrList __vbaFreeObjList __vbaFreeVar 72332->72335 72336 47fbb9 __vbaHresultCheckObj 72334->72336 72337 47fbc8 __vbaFreeObjList 72334->72337 72339 48015e __vbaObjSet __vbaLateIdSt __vbaFreeObj 72335->72339 72340 4803f3 __vbaFreeStr 72335->72340 72336->72337 72343 47fbed __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72337->72343 72338->72242 72341 47f8f5 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72338->72341 72347 4801b2 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72339->72347 72348 47f954 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72341->72348 72343->72242 72346 47fc1f __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72343->72346 72352 47fc7e __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72346->72352 72347->72242 72350 4801e4 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72347->72350 72348->72242 72351 47f986 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72348->72351 72358 480243 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72350->72358 72356 47f9f3 72351->72356 72357 47f9de __vbaNew2 72351->72357 72352->72242 72355 47fcad __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72352->72355 72364 47fd0f __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72355->72364 72359 47fa12 72356->72359 72360 47f9fd __vbaNew2 72356->72360 72357->72356 72358->72242 72362 480275 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72358->72362 72365 47fa3c 72359->72365 72366 47fa2a __vbaHresultCheckObj 72359->72366 72360->72359 72368 4802d4 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72362->72368 72364->72242 72367 47fd41 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72364->72367 72365->72242 72365->72317 72372 47fa6b __vbaHresultCheckObj 72365->72372 72366->72365 72371 47fda0 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72367->72371 72368->72242 72370 480306 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72368->72370 72375 48035e __vbaNew2 72370->72375 72376 480373 72370->72376 72371->72242 72374 47fdd2 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72371->72374 72372->72317 72380 47fe31 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72374->72380 72375->72376 72377 480379 __vbaNew2 72376->72377 72378 48038e 72376->72378 72377->72378 72381 4803b8 72378->72381 72382 4803a6 __vbaHresultCheckObj 72378->72382 72380->72242 72383 47fe63 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72380->72383 72381->72242 72381->72340 72385 4803e1 __vbaHresultCheckObj 72381->72385 72382->72381 72386 47fec2 __vbaObjSet __vbaLateIdCallLd __vbaR4Var 72383->72386 72385->72340 72386->72242 72387 47fef4 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 72386->72387 72387->72340 72390 47dd8e 72389->72390 72391 47ddb3 72390->72391 72392 47dd99 __vbaHresultCheckObj 72390->72392 72393 47ddba __vbaFreeObj 72391->72393 72392->72393 72394 47ddda __vbaOnError 72393->72394 72396 47de1f __vbaFreeStr __vbaFreeStr 72394->72396 72396->72212 72397 483860 72398 483897 72397->72398 72399 483a87 72398->72399 72400 4838c2 72398->72400 72404 483a0b 72398->72404 72402 4838d5 __vbaHresultCheckObj 72400->72402 72403 4838e7 72400->72403 72401 483a3c 72401->72399 72405 483a75 __vbaHresultCheckObj 72401->72405 72402->72403 72407 48390b __vbaFreeObj 72403->72407 72408 4838fc __vbaHresultCheckObj 72403->72408 72404->72401 72406 483a32 __vbaSetSystemError 72404->72406 72405->72399 72406->72401 72407->72401 72409 483920 72407->72409 72408->72407 72410 483933 __vbaSetSystemError __vbaObjSetAddref #644 72409->72410 72420 40b8f4 72410->72420 72421 40b8fd 72420->72421 72422 482d20 72423 482d60 __vbaObjSetAddref 72422->72423 72424 482db9 72423->72424 72425 482dbf __vbaHresultCheckObj 72424->72425 72426 482dd5 72424->72426 72427 482ddb __vbaBoolVar 72425->72427 72426->72427 72428 482df5 72427->72428 72429 482df9 __vbaHresultCheckObj 72428->72429 72430 482e07 __vbaFreeVar 72428->72430 72429->72430 72431 482e1d 72430->72431 72432 482e31 72431->72432 72433 482e23 __vbaHresultCheckObj 72431->72433 72434 482e73 __vbaHresultCheckObj 72432->72434 72435 482e85 __vbaCastObjVar __vbaObjSet 72432->72435 72433->72432 72434->72435 72436 482eac 72435->72436 72437 482eb0 __vbaHresultCheckObj 72436->72437 72438 482ec2 __vbaFreeObj __vbaFreeVarList 72436->72438 72437->72438 72439 482f13 72438->72439 72440 482f19 __vbaHresultCheckObj 72439->72440 72441 482f2b __vbaStrVarMove __vbaStrMove 72439->72441 72440->72441 72442 482f4d 72441->72442 72443 482f51 __vbaHresultCheckObj 72442->72443 72444 482f63 __vbaFreeStr __vbaFreeVar __vbaObjSetAddref 72442->72444 72443->72444 72445 482fb7 __vbaFreeObj 72444->72445 72453 100803a0 72454 100803b0 #823 72453->72454 72455 100803e0 72454->72455 72456 10080414 72454->72456 72459 1008c5a0 10 API calls 72455->72459 72458 10080400 72459->72458 72460 32a5c40 72461 32c16f0 111 API calls 72460->72461 72462 32a5c6d 72461->72462 72477 32c5e60 111 API calls 72462->72477 72464 32a5c77 72478 32c6160 72464->72478 72467 32a5c99 LoadStringA 72468 32a5cb7 72467->72468 72469 32a5ce2 72467->72469 72503 32c5f00 #800 #800 #614 FreeLibrary 72468->72503 72504 32a5710 62 API calls 72469->72504 72471 32a5cc7 #800 72473 32a5d26 72471->72473 72474 32a5cfb 72505 32c5f00 #800 #800 #614 FreeLibrary 72474->72505 72476 32a5d0d #800 72476->72473 72477->72464 72479 32c6183 #860 #860 72478->72479 72480 32c61ac 72479->72480 72488 32c62a8 72479->72488 72481 32a5c95 72480->72481 72482 32c61b9 #923 #922 #800 72480->72482 72481->72467 72481->72468 72483 32c627b LoadLibraryA 72482->72483 72484 32c61f1 GetFileAttributesA 72482->72484 72485 32c6289 LoadLibraryExA 72483->72485 72486 32c6296 #800 72483->72486 72484->72483 72487 32c6201 72484->72487 72485->72486 72486->72488 72487->72483 72493 32c6205 #823 72487->72493 72488->72481 72489 32c62f6 #535 #6876 #6876 FindResourceA 72488->72489 72506 32c6010 10 API calls 72488->72506 72491 32c633c LoadResource 72489->72491 72492 32c634b #800 72489->72492 72491->72492 72495 32c635c LockResource SizeofResource 72491->72495 72492->72481 72496 32c621c #533 72493->72496 72499 32c6225 72493->72499 72494 32c62d9 #858 #800 72494->72489 72497 32c637f 72495->72497 72496->72499 72498 32c6398 #800 72497->72498 72498->72481 72500 32c626a 72499->72500 72501 32c6241 #800 72499->72501 72500->72498 72501->72481 72503->72471 72504->72474 72505->72476 72506->72494 72507 32cc540 72530 32c6c30 #825 #825 #2841 72507->72530 72509 32cc56e #540 #540 72524 32cc59d 72509->72524 72510 32cc8c3 72564 32c6cf0 30 API calls 72510->72564 72511 32cc5b1 #6282 #2763 72511->72524 72513 32cc5cf #4129 #858 #800 72513->72524 72514 32cc608 #4204 72515 32cc61a #4278 #858 #800 #535 72514->72515 72514->72524 72562 32cc1b0 632 API calls 72515->72562 72516 32cc8ff #800 #800 72517 32cc8e3 72517->72516 72519 32cc678 #2763 72520 32cc68d #4129 #6283 #4204 72519->72520 72519->72524 72520->72524 72521 32cc89f #800 72521->72524 72522 32cc6df #4277 #6282 #6283 #4204 72522->72524 72524->72510 72524->72511 72524->72513 72524->72514 72524->72519 72524->72521 72524->72522 72525 32cc891 #800 72524->72525 72526 32cc7f9 #823 72524->72526 72527 32cc830 #2107 72524->72527 72528 32cc791 #825 72524->72528 72531 32cc420 #823 72524->72531 72563 32d0590 #825 #2841 72524->72563 72525->72521 72526->72524 72527->72524 72528->72524 72530->72509 72532 32cc430 72531->72532 72533 32cc4fa 72532->72533 72535 32cc48d 72532->72535 72536 32cc47a 72532->72536 72537 32cc454 72532->72537 72538 32cc4c6 72532->72538 72539 32cc467 72532->72539 72540 32cc4e7 72532->72540 72541 32cc4a0 72532->72541 72542 32cc4b3 72532->72542 72534 32cc50e 72533->72534 72554 32cc505 #825 72533->72554 72534->72524 72568 32c6820 #825 #825 sscanf 72535->72568 72567 32c6780 #825 #825 _mbsicmp 72536->72567 72565 32c66c0 #825 #825 sscanf 72537->72565 72571 32c6fb0 74 API calls 72538->72571 72566 32c6720 #825 #825 #823 72539->72566 72573 32c6850 9 API calls 72540->72573 72569 32c67b0 #825 #825 atoi 72541->72569 72570 32c67f0 #825 #825 sscanf 72542->72570 72551 32cc486 72551->72524 72552 32cc4f3 72552->72524 72553 32cc499 72553->72524 72554->72534 72555 32cc4ac 72555->72524 72556 32cc4bf 72556->72524 72557 32cc460 72557->72524 72558 32cc4d5 72572 32c67d0 #825 #825 72558->72572 72559 32cc473 72559->72524 72561 32cc4e0 72561->72524 72562->72524 72563->72524 72564->72517 72565->72557 72566->72559 72567->72551 72568->72553 72569->72555 72570->72556 72571->72558 72572->72561 72573->72552 72574 100cabe0 72579 100a84b0 53 API calls 72574->72579 72576 100cac08 #537 #922 72577 100cac54 #800 #800 #800 72576->72577 72578 100cac42 #1601 72576->72578 72578->72577 72579->72576 72580 32d0a40 72581 32d0a6a 72580->72581 72582 32d0a4a CallWindowProcA 72580->72582 72583 32d0a99 72581->72583 72584 32d0a79 CallWindowProcA 72581->72584 72585 32d0a9e CallWindowProcA 72583->72585 72586 32d0abb 72583->72586 72587 32d8040 #2379 72588 32d8052 72587->72588 72597 32a8e60 72588->72597 72590 32d8085 72604 32d78f0 72590->72604 72594 32d80b9 72595 32d80bd PostMessageA 72594->72595 72596 32d80d0 72594->72596 72595->72596 72598 32a8e6c IsWindow 72597->72598 72600 32a8e7e 72598->72600 72601 32a8ea3 SetRectEmpty 72598->72601 72602 32a8e82 GetWindowRect 72600->72602 72603 32a8e91 GetWindowRect 72600->72603 72601->72590 72602->72590 72603->72590 72605 32d79b3 72604->72605 72606 32d7901 72604->72606 72617 32d78d0 #3797 72605->72617 72607 32d793a 72606->72607 72618 32d78d0 #3797 72606->72618 72619 32d78d0 #3797 72607->72619 72610 32d7923 72610->72607 72611 32d7927 SetWindowRgn 72610->72611 72611->72607 72612 32d7941 72612->72605 72613 32d7995 72612->72613 72614 32d796f 72612->72614 72613->72605 72615 32d799f SetWindowRgn 72613->72615 72616 32d7980 SetWindowRgn 72614->72616 72615->72605 72616->72605 72617->72594 72618->72610 72619->72612 72620 32d8f80 #5163 72621 32d8faa 72620->72621 72622 100d8fe0 72627 10020b90 63 API calls 72622->72627 72624 100d9001 72628 1009e9b0 72624->72628 72626 100d9010 72627->72624 72629 1009e9bd 72628->72629 72630 1009e9e1 72628->72630 72629->72630 72631 1009e9c9 #5163 72629->72631 72630->72626 72631->72626 72632 467e30 __vbaChkstk 72633 467e85 __vbaOnError 72632->72633 73093 47e0e0 72633->73093 72635 467ea7 72636 467f10 72635->72636 72637 467ef0 __vbaHresultCheckObj 72635->72637 72638 467f46 72636->72638 72639 467f2a __vbaNew2 72636->72639 72637->72636 72640 467fae 72638->72640 72641 467f88 __vbaHresultCheckObj 72638->72641 72639->72638 72642 467fb8 __vbaObjSet 72640->72642 72641->72642 72643 467fe9 72642->72643 72644 46801d 72643->72644 72645 467ffa __vbaHresultCheckObj 72643->72645 72646 468027 __vbaFreeObj 72644->72646 72645->72646 73144 47e800 __vbaStrCopy 72646->73144 72648 46803c 72649 46804c __vbaNew2 72648->72649 72650 468068 72648->72650 72649->72650 72651 4680a7 __vbaHresultCheckObj 72650->72651 72652 4680ca 72650->72652 72651->72652 72653 468127 72652->72653 72654 468104 __vbaHresultCheckObj 72652->72654 72655 468131 __vbaStrCat __vbaStrMove 72653->72655 72654->72655 72656 47dcd0 14 API calls 72655->72656 72657 468151 __vbaFreeStrList __vbaFreeObj 72656->72657 72658 4684f0 72657->72658 72659 46818e 72657->72659 73156 47de50 #535 #594 __vbaFreeVar #593 72658->73156 72661 46819e __vbaNew2 72659->72661 72662 4681ba 72659->72662 72661->72662 72664 468247 72662->72664 72665 46822b __vbaNew2 72662->72665 72663 4684fc __vbaChkstk #689 __vbaStrMove 73166 47eb80 #561 72663->73166 72671 468286 __vbaHresultCheckObj 72664->72671 72672 4682a9 72664->72672 72665->72664 72667 468576 72668 468581 __vbaChkstk #689 __vbaStrMove __vbaR8Str 72667->72668 73007 469bd5 72667->73007 72669 468602 8 API calls 72668->72669 72670 46cff1 72668->72670 72673 4686c0 72669->72673 72674 46cff6 __vbaErrorOverflow 72670->72674 72671->72672 72683 468306 72672->72683 72684 4682e3 __vbaHresultCheckObj 72672->72684 73924 47e700 6 API calls 72673->73924 72678 46d000 72674->72678 72675 469c2a __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet __vbaVarDup 72688 469d56 72675->72688 72676 469c0a __vbaHresultCheckObj 72676->72675 72694 46d06a 72678->72694 72695 46d058 __vbaHresultCheckObj 72678->72695 72679 4686e3 __vbaFreeStr 72681 468715 72679->72681 72682 468709 72679->72682 73926 47e700 6 API calls 72681->73926 73925 47ec90 12 API calls 72682->73925 72687 468310 6 API calls 72683->72687 72684->72687 72696 46841e 72687->72696 72690 469d67 __vbaHresultCheckObj 72688->72690 72691 469d8a 72688->72691 72689 468721 72692 468731 __vbaNew2 72689->72692 72693 46874d 72689->72693 72697 469d94 __vbaFreeObjList __vbaFreeVarList 72690->72697 72691->72697 72692->72693 72704 468792 __vbaHresultCheckObj 72693->72704 72705 4687b8 72693->72705 72698 46d093 72694->72698 72706 46d081 __vbaHresultCheckObj 72694->72706 72695->72694 72699 468452 72696->72699 72700 46842f __vbaHresultCheckObj 72696->72700 72702 469e03 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 72697->72702 72701 46845c __vbaObjSet 72699->72701 72700->72701 72703 46848d 72701->72703 72709 469e62 72702->72709 72707 4684c1 72703->72707 72708 46849e __vbaHresultCheckObj 72703->72708 72704->72705 72710 4687e7 72705->72710 72711 4687cb __vbaNew2 72705->72711 72706->72698 72712 4684cb __vbaFreeStr __vbaFreeObjList __vbaFreeVar 72707->72712 72708->72712 72713 469e96 72709->72713 72714 469e73 __vbaHresultCheckObj 72709->72714 72717 468852 72710->72717 72718 46882c __vbaHresultCheckObj 72710->72718 72711->72710 72712->72658 72715 469ef4 72713->72715 72716 469ed1 __vbaHresultCheckObj 72713->72716 72714->72713 72719 469efe __vbaFreeObjList __vbaFreeVarList 72715->72719 72716->72719 72721 468894 __vbaNew2 72717->72721 72722 4688b0 72717->72722 72717->73007 72718->72717 72720 469f4a __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet __vbaVarDup 72719->72720 72723 46a042 72720->72723 72721->72722 72724 4688d1 __vbaNew2 72722->72724 72725 4688ed 72722->72725 72726 46a076 72723->72726 72727 46a053 __vbaHresultCheckObj 72723->72727 72724->72725 72729 468952 72725->72729 72730 46892f __vbaHresultCheckObj 72725->72730 72728 46a080 __vbaFreeObjList __vbaFreeVarList 72726->72728 72727->72728 72731 46a0ef __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet __vbaVarDup 72728->72731 72736 468986 __vbaHresultCheckObj 72729->72736 72737 4689a9 72729->72737 72730->72729 72732 46a1e7 72731->72732 72733 46a21b 72732->72733 72734 46a1f8 __vbaHresultCheckObj 72732->72734 72735 46a225 __vbaFreeObjList __vbaFreeVarList 72733->72735 72734->72735 72738 46a294 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet __vbaVarDup 72735->72738 72736->72737 72739 4689c3 __vbaNew2 72737->72739 72740 4689df 72737->72740 72741 46a38c 72738->72741 72739->72740 72742 468a00 __vbaNew2 72740->72742 72743 468a1c 72740->72743 72744 46a3c0 72741->72744 72745 46a39d __vbaHresultCheckObj 72741->72745 72742->72743 72747 468a81 72743->72747 72748 468a5e __vbaHresultCheckObj 72743->72748 72746 46a3ca __vbaFreeObjList __vbaFreeVarList 72744->72746 72745->72746 72749 46a439 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 72746->72749 72753 468ab5 __vbaHresultCheckObj 72747->72753 72754 468ad8 72747->72754 72748->72747 72750 46a498 72749->72750 72751 46a4cc 72750->72751 72752 46a4a9 __vbaHresultCheckObj 72750->72752 72757 46a507 __vbaHresultCheckObj 72751->72757 72758 46a52a 72751->72758 72752->72751 72753->72754 72755 468af2 __vbaNew2 72754->72755 72756 468b0e 72754->72756 72755->72756 72761 468b53 __vbaHresultCheckObj 72756->72761 72762 468b79 72756->72762 72759 46a534 __vbaFreeObjList __vbaFreeVarList 72757->72759 72758->72759 72760 46a580 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 72759->72760 72765 46a5df 72760->72765 72761->72762 72763 468b8c __vbaNew2 72762->72763 72764 468ba8 72762->72764 72763->72764 72768 468be5 72764->72768 72769 468bc9 __vbaNew2 72764->72769 72766 46a613 72765->72766 72767 46a5f0 __vbaHresultCheckObj 72765->72767 72770 46a671 72766->72770 72771 46a64e __vbaHresultCheckObj 72766->72771 72767->72766 72772 468c27 __vbaHresultCheckObj 72768->72772 72776 468c4a 72768->72776 72769->72768 72773 46a67b __vbaFreeObjList __vbaFreeVarList 72770->72773 72771->72773 72772->72776 72774 46a6c7 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 72773->72774 72775 46a726 72774->72775 72777 46a737 __vbaHresultCheckObj 72775->72777 72778 46a75a 72775->72778 72776->72670 72779 468cb4 72776->72779 72780 468c91 __vbaHresultCheckObj 72776->72780 72777->72778 72783 46a795 __vbaHresultCheckObj 72778->72783 72784 46a7b8 72778->72784 72781 468cce __vbaNew2 72779->72781 72782 468cea 72779->72782 72780->72779 72781->72782 72786 468d2c __vbaHresultCheckObj 72782->72786 72788 468d4f 72782->72788 72785 46a7c2 __vbaFreeObjList __vbaFreeVarList 72783->72785 72784->72785 72787 46a80e __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet __vbaVarDup 72785->72787 72786->72788 72789 46a906 72787->72789 72792 468da7 72788->72792 72793 468d8b __vbaNew2 72788->72793 72790 46a917 __vbaHresultCheckObj 72789->72790 72791 46a93a 72789->72791 72794 46a944 __vbaFreeObjList __vbaFreeVarList 72790->72794 72791->72794 72796 468de9 __vbaHresultCheckObj 72792->72796 72800 468e0c 72792->72800 72793->72792 72795 46a9b3 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 72794->72795 72797 46aa12 72795->72797 72796->72800 72798 46aa46 72797->72798 72799 46aa23 __vbaHresultCheckObj 72797->72799 72803 46aaa1 72798->72803 72804 46aa7e __vbaHresultCheckObj 72798->72804 72799->72798 72801 468e64 72800->72801 72802 468e48 __vbaNew2 72800->72802 72806 468ea6 __vbaHresultCheckObj 72801->72806 72807 468ec9 72801->72807 72802->72801 72805 46aaab __vbaFreeObjList __vbaFreeVarList 72803->72805 72804->72805 72808 46aaf2 72805->72808 72806->72807 72811 468edc __vbaNew2 72807->72811 72812 468ef8 72807->72812 72809 46ab23 72808->72809 72810 46ab03 __vbaHresultCheckObj 72808->72810 73171 4751f0 __vbaChkstk 72809->73171 73831 4099a4 72809->73831 72810->72809 72811->72812 72814 468f37 __vbaHresultCheckObj 72812->72814 72815 468f5a 72812->72815 72813 46ab4e 73862 46d0c0 __vbaChkstk __vbaOnError 72813->73862 72814->72815 72817 468fc0 72815->72817 72818 468f9a __vbaHresultCheckObj 72815->72818 72816 46ab64 __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72822 46ac21 72816->72822 72820 468fd3 __vbaNew2 72817->72820 72821 468fef 72817->72821 72818->72817 72820->72821 72826 469034 __vbaHresultCheckObj 72821->72826 72827 46905a 72821->72827 72823 46ac32 __vbaHresultCheckObj 72822->72823 72824 46ac58 72822->72824 72825 46ac62 __vbaFreeStr __vbaFreeObj 72823->72825 72824->72825 72828 46ac8a __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72825->72828 72826->72827 72829 46906d __vbaNew2 72827->72829 72830 469089 72827->72830 72831 46ad1b 72828->72831 72829->72830 72835 4690eb 72830->72835 72836 4690c8 __vbaHresultCheckObj 72830->72836 72832 46ad52 72831->72832 72833 46ad2c __vbaHresultCheckObj 72831->72833 72834 46ad5c __vbaFreeStr __vbaFreeObj 72832->72834 72833->72834 72837 46ad84 __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72834->72837 72841 469151 72835->72841 72842 46912b __vbaHresultCheckObj 72835->72842 72836->72835 72838 46ae15 72837->72838 72839 46ae26 __vbaHresultCheckObj 72838->72839 72840 46ae4c 72838->72840 72843 46ae56 __vbaFreeStr __vbaFreeObj 72839->72843 72840->72843 72844 469164 __vbaNew2 72841->72844 72845 469180 72841->72845 72842->72841 72846 46ae7e __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72843->72846 72844->72845 72850 4691e2 72845->72850 72851 4691bf __vbaHresultCheckObj 72845->72851 72847 46af0f 72846->72847 72848 46af46 72847->72848 72849 46af20 __vbaHresultCheckObj 72847->72849 72852 46af50 __vbaFreeStr __vbaFreeObj 72848->72852 72849->72852 72854 469222 __vbaHresultCheckObj 72850->72854 72855 469248 72850->72855 72851->72850 72853 46af78 __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72852->72853 72856 46b009 72853->72856 72854->72855 72859 469277 72855->72859 72860 46925b __vbaNew2 72855->72860 72857 46b040 72856->72857 72858 46b01a __vbaHresultCheckObj 72856->72858 72861 46b04a __vbaFreeStr __vbaFreeObj 72857->72861 72858->72861 72863 4692b6 __vbaHresultCheckObj 72859->72863 72864 4692d9 72859->72864 72860->72859 72862 46b072 __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72861->72862 72865 46b103 72862->72865 72863->72864 72869 46933f 72864->72869 72870 469319 __vbaHresultCheckObj 72864->72870 72866 46b114 __vbaHresultCheckObj 72865->72866 72867 46b13a 72865->72867 72868 46b144 __vbaFreeStr __vbaFreeObj 72866->72868 72867->72868 72871 46b16c __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72868->72871 72872 469352 __vbaNew2 72869->72872 72873 46936e 72869->72873 72870->72869 72874 46b1fd 72871->72874 72872->72873 72878 4693d3 72873->72878 72879 4693b0 __vbaHresultCheckObj 72873->72879 72875 46b234 72874->72875 72876 46b20e __vbaHresultCheckObj 72874->72876 72877 46b23e __vbaFreeStr __vbaFreeObj 72875->72877 72876->72877 72880 46b266 __vbaObjSet __vbaChkstk #689 __vbaStrMove __vbaBoolStr 72877->72880 72881 4693e6 __vbaNew2 72878->72881 72882 469402 72878->72882 72879->72878 72883 46b2f7 72880->72883 72881->72882 72887 469464 72882->72887 72888 469441 __vbaHresultCheckObj 72882->72888 72884 46b32e 72883->72884 72885 46b308 __vbaHresultCheckObj 72883->72885 72886 46b338 __vbaFreeStr __vbaFreeObj 72884->72886 72885->72886 72889 46b360 72886->72889 72893 4694a4 __vbaHresultCheckObj 72887->72893 72894 4694ca 72887->72894 72888->72887 72890 46b392 72889->72890 72891 46b36f __vbaHresultCheckObj 72889->72891 72893->72894 72896 4694dd __vbaNew2 72894->72896 72897 4694f9 72894->72897 72896->72897 72900 469564 72897->72900 72901 46953e __vbaHresultCheckObj 72897->72901 72905 469577 __vbaNew2 72900->72905 72906 469593 72900->72906 72901->72900 72905->72906 72911 4695f5 72906->72911 72912 4695d2 __vbaHresultCheckObj 72906->72912 72915 469635 __vbaHresultCheckObj 72911->72915 72916 46965b 72911->72916 72912->72911 72915->72916 72918 46966e __vbaNew2 72916->72918 72919 46968a 72916->72919 72918->72919 72924 4696ec 72919->72924 72925 4696c9 __vbaHresultCheckObj 72919->72925 72930 46974c 72924->72930 72931 469729 __vbaHresultCheckObj 72924->72931 72925->72924 72936 46975f __vbaNew2 72930->72936 72937 46977b 72930->72937 72931->72930 72936->72937 72946 4697dd 72937->72946 72947 4697ba __vbaHresultCheckObj 72937->72947 72962 469843 72946->72962 72963 46981d __vbaHresultCheckObj 72946->72963 72947->72946 72969 46984d __vbaFpI4 __vbaFpI4 __vbaFpI4 __vbaFpI4 72962->72969 72963->72969 72969->72674 72970 4698ac 6 API calls 72969->72970 72970->72674 72976 469925 __vbaFpI4 __vbaFpI4 __vbaFreeObjList 72970->72976 72980 469993 72976->72980 72981 469ab5 72976->72981 72985 4699a3 __vbaNew2 72980->72985 72986 4699bf 72980->72986 72987 469acf __vbaNew2 72981->72987 72988 469aeb 72981->72988 72985->72986 73005 469a1f 72986->73005 73006 4699fc __vbaHresultCheckObj 72986->73006 72991 469af5 __vbaChkstk __vbaChkstk 72987->72991 72988->72991 72998 469b9e 72991->72998 72998->73007 73008 469baf __vbaHresultCheckObj 72998->73008 73016 469a55 73005->73016 73017 469a39 __vbaNew2 73005->73017 73006->73005 73007->72675 73007->72676 73008->73007 73016->72981 73030 469a92 __vbaHresultCheckObj 73016->73030 73017->73016 73030->72981 73094 47e14b 73093->73094 73095 47e13b __vbaNew2 73093->73095 73096 47e174 73094->73096 73097 47e161 __vbaHresultCheckObj 73094->73097 73095->73094 73098 47e18f __vbaHresultCheckObj 73096->73098 73099 47e19a 7 API calls 73096->73099 73097->73096 73098->73099 73100 47e697 __vbaFreeObjList __vbaFreeObj 73099->73100 73101 47e20d 73099->73101 73100->72635 73102 47e225 73101->73102 73103 47e215 __vbaNew2 73101->73103 73105 47e247 73102->73105 73106 47e23c __vbaHresultCheckObj 73102->73106 73103->73102 73107 47e25f 73105->73107 73108 47e24f __vbaNew2 73105->73108 73106->73105 73109 47e286 __vbaObjSet __vbaCheckType 73107->73109 73110 47e278 __vbaHresultCheckObj 73107->73110 73108->73107 73111 47e2ba 73109->73111 73110->73109 73112 47e2c2 __vbaCheckType __vbaCheckType __vbaCheckType __vbaCheckType 73111->73112 73113 47e369 73111->73113 73114 47e31d __vbaLateMemSt 73112->73114 73115 47e348 __vbaNextEachCollObj 73112->73115 73116 47e382 73113->73116 73117 47e372 __vbaNew2 73113->73117 73114->73115 73115->73111 73118 47e3a3 73116->73118 73119 47e398 __vbaHresultCheckObj 73116->73119 73117->73116 73120 47e3c3 __vbaStrCat 73118->73120 73121 47e3b8 __vbaHresultCheckObj 73118->73121 73119->73118 73122 47e400 __vbaObjSet __vbaLateIdCall __vbaFreeStr __vbaFreeObjList __vbaFreeVar 73120->73122 73123 47e3eb __vbaNew2 73120->73123 73121->73120 73125 47e486 __vbaNew2 73122->73125 73126 47e49b __vbaObjSet __vbaLateIdCallLd __vbaI4Var 73122->73126 73123->73122 73125->73126 73128 47e4d7 __vbaNew2 73126->73128 73129 47e4ec __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 73126->73129 73128->73129 73131 47e55f __vbaObjSet __vbaLateIdSt __vbaFreeObj 73129->73131 73132 47e54a __vbaNew2 73129->73132 73134 47e5bd __vbaObjSet __vbaLateIdSt __vbaFreeObj 73131->73134 73135 47e5a8 __vbaNew2 73131->73135 73132->73131 73137 47e60e 73134->73137 73138 47e5fe __vbaNew2 73134->73138 73135->73134 73139 47e624 __vbaHresultCheckObj 73137->73139 73140 47e633 73137->73140 73138->73137 73139->73140 73141 47e644 __vbaNew2 73140->73141 73142 47e659 __vbaObjSet __vbaLateIdCall __vbaFreeObj 73140->73142 73141->73142 73142->73100 73145 47e857 #709 __vbaI2I4 73144->73145 73146 47e877 #631 __vbaStrMove __vbaLenBstr 73145->73146 73147 47e941 __vbaErrorOverflow 73145->73147 73146->73145 73148 47e8aa 73146->73148 73149 47e8c3 73148->73149 73150 47e8b3 __vbaNew2 73148->73150 73151 47e8d9 __vbaHresultCheckObj 73149->73151 73152 47e8e8 73149->73152 73150->73149 73151->73152 73153 47e8fd __vbaHresultCheckObj 73152->73153 73154 47e90c __vbaFreeObj 73152->73154 73153->73154 73155 47e926 __vbaFreeStr 73154->73155 73155->72648 73157 47ded1 __vbaFPInt 73156->73157 73158 47dfad 73156->73158 73157->73158 73159 47dee7 __vbaFpI2 __vbaFreeVar 73157->73159 73158->73158 73160 47df80 __vbaFreeStr 73159->73160 73161 47defe #689 __vbaStrMove 73159->73161 73160->72663 73162 47eb80 4 API calls 73161->73162 73164 47df4d 73162->73164 73164->73160 73165 47df53 __vbaVarDup #600 __vbaFreeVar 73164->73165 73165->73160 73167 47ebd2 __vbaStrCmp 73166->73167 73168 47ec58 73166->73168 73167->73168 73169 47ebe4 73167->73169 73168->72667 73169->73168 73170 47ebf3 __vbaStrI2 __vbaStrMove 73169->73170 73170->73168 73172 475245 __vbaOnError __vbaChkstk #689 __vbaStrMove 73171->73172 73173 4752e4 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73172->73173 73174 47532e 73173->73174 73175 475362 73174->73175 73176 47533f __vbaHresultCheckObj 73174->73176 73177 47536c __vbaFreeObjList __vbaFreeVar 73175->73177 73176->73177 73178 4753ac __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73177->73178 73312 476ca1 __vbaExitProc 73177->73312 73182 475436 73178->73182 73180 47b0dc __vbaFreeStr 73180->72813 73183 475447 __vbaHresultCheckObj 73182->73183 73184 47546a 73182->73184 73185 475474 __vbaFreeObjList __vbaFreeVar 73183->73185 73184->73185 73186 4754ba __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73185->73186 73190 475590 73185->73190 73193 475523 73186->73193 73187 47b10d __vbaErrorOverflow 73188 47b120 __vbaChkstk __vbaOnError 73187->73188 73192 47b18e 73188->73192 73190->73187 73191 475602 __vbaObjSet 73190->73191 73199 47562f 73191->73199 73194 47b1bf 73192->73194 73195 47b19f __vbaHresultCheckObj 73192->73195 73196 475557 73193->73196 73197 475534 __vbaHresultCheckObj 73193->73197 73927 47d6e0 73194->73927 73195->73194 73198 475561 __vbaI2I4 __vbaFreeObjList __vbaFreeVar 73196->73198 73197->73198 73198->73190 73200 475666 73199->73200 73201 475640 __vbaHresultCheckObj 73199->73201 73203 475670 __vbaFreeObj 73200->73203 73201->73203 73205 476ca6 __vbaObjSet 73203->73205 73206 475696 __vbaChkstk 73203->73206 73204 47b1e1 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73210 47b243 73204->73210 73214 476ce9 73205->73214 73209 4756f3 __vbaObjSet __vbaLateIdSt __vbaFreeObj #546 #610 73206->73209 73211 47573c 11 API calls 73209->73211 73212 47b277 73210->73212 73213 47b254 __vbaHresultCheckObj 73210->73213 73215 475ba1 __vbaChkstk 73211->73215 73216 47587a __vbaChkstk 73211->73216 73217 47b281 6 API calls 73212->73217 73213->73217 73218 476d20 73214->73218 73219 476cfa __vbaHresultCheckObj 73214->73219 73224 475bfc __vbaObjSet __vbaLateIdSt __vbaFreeObj 73215->73224 73222 4758d7 __vbaObjSet __vbaLateIdSt __vbaFreeObj #546 #610 73216->73222 73220 47b307 73217->73220 73221 476d2a __vbaFreeObj 73218->73221 73219->73221 73223 47b621 __vbaExitProc 73220->73223 73228 47b335 73220->73228 73229 47b341 __vbaGenerateBoundsError 73220->73229 73225 476d50 __vbaChkstk 73221->73225 73226 478199 __vbaObjSet 73221->73226 73231 475920 __vbaObjSet __vbaLateIdCallLd 73222->73231 73230 47b8a9 __vbaFreeObj 73223->73230 73234 475c2d __vbaObjSet 73224->73234 73235 476dad __vbaObjSet __vbaLateIdSt __vbaFreeObj #546 #610 73225->73235 73239 4781dc 73226->73239 73233 47b34d __vbaStrCmp 73228->73233 73229->73233 73230->72813 73238 47594b 6 API calls 73231->73238 73233->73223 73236 47b36f 73233->73236 73242 475c55 73234->73242 73237 476df6 11 API calls 73235->73237 73240 47b3c5 __vbaGenerateBoundsError 73236->73240 73241 47b3b9 73236->73241 73243 476f34 __vbaChkstk 73237->73243 73244 477189 __vbaChkstk 73237->73244 73250 4759f0 __vbaObjSet 73238->73250 73245 478213 73239->73245 73246 4781ed __vbaHresultCheckObj 73239->73246 73240->73241 73257 47b44d 73241->73257 73258 47b42a __vbaHresultCheckObj 73241->73258 73247 475c66 __vbaHresultCheckObj 73242->73247 73248 475c89 73242->73248 73254 476f91 __vbaObjSet __vbaLateIdSt __vbaFreeObj #546 #610 73243->73254 73253 4771e4 __vbaObjSet __vbaLateIdSt __vbaFreeObj 73244->73253 73251 47821d __vbaFreeObj 73245->73251 73246->73251 73249 475c93 __vbaFreeObj 73247->73249 73248->73249 73252 475c9c #598 73249->73252 73259 475a1a 73250->73259 73255 4797b7 __vbaObjSet 73251->73255 73256 478243 #561 __vbaFreeVar 73251->73256 73262 475cc3 7 API calls 73252->73262 73263 477215 __vbaObjSet 73253->73263 73264 476fda __vbaObjSet __vbaLateIdCallLd 73254->73264 73276 4797fa 73255->73276 73268 478332 #561 __vbaFreeVar 73256->73268 73269 47828f __vbaObjSet __vbaStrI2 __vbaStrMove 73256->73269 73261 47b457 __vbaFreeVarList 73257->73261 73258->73261 73266 475a51 73259->73266 73267 475a2b __vbaHresultCheckObj 73259->73267 73273 47b490 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73261->73273 73272 475d64 __vbaObjSet 73262->73272 73274 47723d 73263->73274 73275 477005 7 API calls 73264->73275 73270 475a5b __vbaI4Var 73266->73270 73267->73270 73290 478421 #561 __vbaFreeVar 73268->73290 73291 47837e __vbaObjSet __vbaStrI2 __vbaStrMove 73268->73291 73294 4782df 73269->73294 73946 47dfc0 6 API calls 73270->73946 73287 475d8e 73272->73287 73279 47b50b __vbaGenerateBoundsError 73273->73279 73304 47b4ff 73273->73304 73280 477271 73274->73280 73281 47724e __vbaHresultCheckObj 73274->73281 73952 47dfc0 6 API calls 73275->73952 73284 479831 73276->73284 73285 47980b __vbaHresultCheckObj 73276->73285 73277 475a73 9 API calls 73293 475ae7 73277->73293 73279->73304 73288 47727b __vbaFreeObj 73280->73288 73281->73288 73286 47983b __vbaFreeObj 73284->73286 73285->73286 73292 479861 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73286->73292 73286->73312 73295 475dc5 73287->73295 73296 475d9f __vbaHresultCheckObj 73287->73296 73297 477284 #598 73288->73297 73289 4770b3 __vbaStrMove __vbaStrCat __vbaStrMove 73305 4770e3 73289->73305 73310 478510 __vbaObjSet 73290->73310 73311 47846d __vbaObjSet __vbaStrI2 __vbaStrMove 73290->73311 73319 4783ce 73291->73319 73326 4798e4 73292->73326 73298 475b1b 73293->73298 73299 475af8 __vbaHresultCheckObj 73293->73299 73300 478316 73294->73300 73301 4782f0 __vbaHresultCheckObj 73294->73301 73303 475dcf 12 API calls 73295->73303 73296->73303 73316 4772ab 13 API calls 73297->73316 73308 475b25 __vbaFreeStrList __vbaFreeObjList __vbaFreeVarList 73298->73308 73299->73308 73309 478320 __vbaFreeStr __vbaFreeObj 73300->73309 73301->73309 73303->73312 73313 475ecb __vbaObjSet 73303->73313 73314 47b5be 73304->73314 73315 47b59b __vbaHresultCheckObj 73304->73315 73317 477117 73305->73317 73318 4770f4 __vbaHresultCheckObj 73305->73318 73308->73252 73309->73268 73333 478550 73310->73333 73334 4784bd 73311->73334 73312->73180 73335 475f06 73313->73335 73320 47b5c8 __vbaCastObj __vbaObjSet __vbaFreeObjList __vbaFreeVarList 73314->73320 73315->73320 73316->73312 73321 4773bc __vbaObjSet 73316->73321 73322 477121 __vbaFreeStrList __vbaFreeObjList __vbaFreeVarList 73317->73322 73318->73322 73323 478405 73319->73323 73324 4783df __vbaHresultCheckObj 73319->73324 73320->73223 73340 4773f7 73321->73340 73322->73297 73329 47840f __vbaFreeStr __vbaFreeObj 73323->73329 73324->73329 73330 4798f5 __vbaHresultCheckObj 73326->73330 73331 479918 73326->73331 73329->73290 73330->73331 73347 479957 __vbaHresultCheckObj 73331->73347 73348 47997d 73331->73348 73341 478587 __vbaObjSet 73333->73341 73342 478561 __vbaHresultCheckObj 73333->73342 73336 4784f4 73334->73336 73337 4784ce __vbaHresultCheckObj 73334->73337 73338 475f17 __vbaHresultCheckObj 73335->73338 73339 475f3a 73335->73339 73346 4784fe __vbaFreeStr __vbaFreeObj 73336->73346 73337->73346 73343 475f44 __vbaFreeObj 73338->73343 73339->73343 73344 47742b 73340->73344 73345 477408 __vbaHresultCheckObj 73340->73345 73357 4785ca 73341->73357 73342->73341 73350 475f63 __vbaObjSet 73343->73350 73349 477435 __vbaFreeObj 73344->73349 73345->73349 73346->73310 73352 479987 #561 __vbaFreeObjList __vbaFreeVarList 73347->73352 73348->73352 73355 477454 __vbaObjSet 73349->73355 73356 475f88 73350->73356 73353 47abf3 73352->73353 73354 4799fc __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73352->73354 73353->73187 73358 47ac0b __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73353->73358 73369 479a7f 73354->73369 73362 477479 73355->73362 73360 475fbc 73356->73360 73361 475f99 __vbaHresultCheckObj 73356->73361 73363 478601 __vbaObjSet 73357->73363 73364 4785db __vbaHresultCheckObj 73357->73364 73371 47ac7b 73358->73371 73365 475fc6 __vbaFreeObj 73360->73365 73361->73365 73366 4774ad 73362->73366 73367 47748a __vbaHresultCheckObj 73362->73367 73379 478644 73363->73379 73364->73363 73375 475fe5 __vbaObjSet 73365->73375 73370 4774b7 __vbaFreeObj 73366->73370 73367->73370 73373 479ab3 73369->73373 73374 479a90 __vbaHresultCheckObj 73369->73374 73378 4774d6 __vbaObjSet 73370->73378 73376 47acaf 73371->73376 73377 47ac8c __vbaHresultCheckObj 73371->73377 73392 479af2 __vbaHresultCheckObj 73373->73392 73393 479b18 73373->73393 73374->73373 73381 476012 73375->73381 73380 47acb9 __vbaFreeObjList __vbaFreeVar 73376->73380 73377->73380 73387 477503 73378->73387 73382 478655 __vbaHresultCheckObj 73379->73382 73383 47867b 73379->73383 73384 47acfb __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73380->73384 73385 476023 __vbaHresultCheckObj 73381->73385 73386 476049 73381->73386 73391 478685 __vbaR8Str 73382->73391 73383->73391 73407 47ad8e 73384->73407 73388 476053 __vbaFreeObj 73385->73388 73386->73388 73389 477514 __vbaHresultCheckObj 73387->73389 73390 47753a 73387->73390 73394 4761f2 __vbaObjSet 73388->73394 73395 476079 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73388->73395 73396 477544 __vbaFreeObj 73389->73396 73390->73396 73397 47869f __vbaR8Str 73391->73397 73398 47b108 73391->73398 73400 479b22 __vbaI4Str __vbaFreeStr __vbaFreeObjList __vbaFreeVar __vbaChkstk 73392->73400 73393->73400 73417 476235 73394->73417 73415 4760fc 73395->73415 73401 4776e3 __vbaObjSet 73396->73401 73402 47756a __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73396->73402 73397->73398 73403 4786c5 __vbaR8Str 73397->73403 73398->73187 73408 479bb8 __vbaObjSet __vbaLateIdSt __vbaFreeObj 73400->73408 73423 477726 73401->73423 73424 4775ed 73402->73424 73403->73398 73405 4786e5 __vbaFpI4 __vbaFreeStrList __vbaFreeObjList __vbaChkstk 73403->73405 73416 47877c __vbaObjSet __vbaLateIdSt __vbaFreeObj 73405->73416 73411 47adc2 73407->73411 73412 47ad9f __vbaHresultCheckObj 73407->73412 73413 479c60 __vbaObjSet 73408->73413 73414 479be8 __vbaChkstk 73408->73414 73440 47ae1d 73411->73440 73441 47adfa __vbaHresultCheckObj 73411->73441 73412->73411 73413->73187 73428 479c9e 73413->73428 73427 479c45 __vbaObjSet __vbaLateIdSt __vbaFreeObj 73414->73427 73421 476130 73415->73421 73422 47610d __vbaHresultCheckObj 73415->73422 73425 478824 __vbaObjSet 73416->73425 73426 4787ac __vbaChkstk 73416->73426 73419 476246 __vbaHresultCheckObj 73417->73419 73420 47626c 73417->73420 73431 476276 __vbaFreeObj 73419->73431 73420->73431 73450 47618d 73421->73450 73451 47616a __vbaHresultCheckObj 73421->73451 73422->73421 73432 477737 __vbaHresultCheckObj 73423->73432 73433 47775d 73423->73433 73429 477621 73424->73429 73430 4775fe __vbaHresultCheckObj 73424->73430 73425->73187 73444 478862 73425->73444 73439 478809 __vbaObjSet __vbaLateIdSt __vbaFreeObj 73426->73439 73427->73413 73964 47dfc0 6 API calls 73428->73964 73455 47767e 73429->73455 73456 47765b __vbaHresultCheckObj 73429->73456 73430->73429 73436 476415 __vbaObjSet 73431->73436 73437 47629c __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73431->73437 73438 477767 __vbaFreeObj 73432->73438 73433->73438 73461 476458 73436->73461 73462 47631f 73437->73462 73445 477906 __vbaObjSet 73438->73445 73446 47778d __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73438->73446 73439->73425 73442 47ae27 __vbaFreeObjList __vbaFreeVar 73440->73442 73441->73442 73442->73312 73443 479ca4 __vbaStrMove __vbaStrCat __vbaStrMove 73452 479cd4 73443->73452 73958 47dfc0 6 API calls 73444->73958 73468 477949 73445->73468 73474 477810 73446->73474 73454 476197 __vbaI4Str 73450->73454 73451->73454 73459 479ce5 __vbaHresultCheckObj 73452->73459 73460 479d08 73452->73460 73947 47d900 9 API calls 73454->73947 73464 477688 __vbaI4Str 73455->73464 73456->73464 73457 478868 __vbaStrMove __vbaStrCat __vbaStrMove 73471 478898 73457->73471 73465 479d12 __vbaFreeStrList __vbaFreeObj #598 73459->73465 73460->73465 73466 47648f 73461->73466 73467 476469 __vbaHresultCheckObj 73461->73467 73472 476353 73462->73472 73473 476330 __vbaHresultCheckObj 73462->73473 73953 47d900 9 API calls 73464->73953 73465->73312 73479 479d54 __vbaObjSet 73465->73479 73480 476499 __vbaFreeObj 73466->73480 73467->73480 73481 477980 73468->73481 73482 47795a __vbaHresultCheckObj 73468->73482 73469 4761c4 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 73475 476856 73469->73475 73477 4788cc 73471->73477 73478 4788a9 __vbaHresultCheckObj 73471->73478 73495 4763b0 73472->73495 73496 47638d __vbaHresultCheckObj 73472->73496 73473->73472 73483 477844 73474->73483 73484 477821 __vbaHresultCheckObj 73474->73484 73475->73187 73476 4776b5 __vbaFreeStr __vbaFreeObjList __vbaFreeVar 73488 477d47 73476->73488 73489 4788d6 __vbaFreeStrList __vbaFreeObj #598 73477->73489 73478->73489 73506 479da0 73479->73506 73487 47798a __vbaFreeObj 73481->73487 73482->73487 73502 4778a1 73483->73502 73503 47787e __vbaHresultCheckObj 73483->73503 73484->73483 73488->73187 73489->73312 73492 478918 __vbaObjSet 73489->73492 73526 478964 73492->73526 73510 479dd4 73506->73510 73511 479db1 __vbaHresultCheckObj 73506->73511 73514 479dde __vbaFreeObj 73510->73514 73511->73514 73541 479dfd __vbaObjSet 73514->73541 73536 478975 __vbaHresultCheckObj 73526->73536 73537 478998 73526->73537 73538 4789a2 __vbaFreeObj 73536->73538 73537->73538 73547 4789c1 __vbaObjSet 73538->73547 73832 47b120 __vbaChkstk __vbaOnError 73831->73832 73833 47b18e 73832->73833 73834 47b19f __vbaHresultCheckObj 73833->73834 73835 47b1bf 73833->73835 73834->73835 73836 47d6e0 21 API calls 73835->73836 73837 47b1e1 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73836->73837 73839 47b243 73837->73839 73840 47b277 73839->73840 73841 47b254 __vbaHresultCheckObj 73839->73841 73842 47b281 6 API calls 73840->73842 73841->73842 73843 47b307 73842->73843 73844 47b621 __vbaExitProc 73843->73844 73846 47b335 73843->73846 73847 47b341 __vbaGenerateBoundsError 73843->73847 73848 47b8a9 __vbaFreeObj 73844->73848 73849 47b34d __vbaStrCmp 73846->73849 73847->73849 73848->72813 73849->73844 73850 47b36f 73849->73850 73851 47b3c5 __vbaGenerateBoundsError 73850->73851 73852 47b3b9 73850->73852 73851->73852 73853 47b44d 73852->73853 73854 47b42a __vbaHresultCheckObj 73852->73854 73855 47b457 __vbaFreeVarList 73853->73855 73854->73855 73856 47b490 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73855->73856 73857 47b4ff 73856->73857 73858 47b50b __vbaGenerateBoundsError 73856->73858 73859 47b5be 73857->73859 73860 47b59b __vbaHresultCheckObj 73857->73860 73858->73857 73861 47b5c8 __vbaCastObj __vbaObjSet __vbaFreeObjList __vbaFreeVarList 73859->73861 73860->73861 73861->73844 73863 46d133 __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 73862->73863 73864 46d176 73863->73864 73865 46d187 __vbaHresultCheckObj 73864->73865 73866 46d1aa 73864->73866 73867 46d1b4 6 API calls 73865->73867 73866->73867 73868 46d258 7 API calls 73867->73868 73914 46d918 __vbaExitProc 73867->73914 73870 46d322 73868->73870 73872 46d390 __vbaGenerateBoundsError 73870->73872 73873 46d349 73870->73873 73870->73914 73871 46dbc3 __vbaAryDestruct __vbaFreeStr __vbaAryDestruct __vbaFreeObj 73871->72816 73874 46d39c __vbaStrCmp 73872->73874 73875 46d373 __vbaGenerateBoundsError 73873->73875 73877 46d367 73873->73877 73876 46d3bf __vbaVarDup 73874->73876 73874->73914 73875->73877 73878 46d43f __vbaGenerateBoundsError 73876->73878 73879 46d3ef 73876->73879 73877->73874 73881 46d44b #711 __vbaAryVar __vbaAryCopy __vbaFreeVarList 73878->73881 73879->73878 73880 46d3f8 73879->73880 73882 46d416 73880->73882 73883 46d422 __vbaGenerateBoundsError 73880->73883 73884 46d4ce __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet __vbaAryLock 73881->73884 73882->73881 73883->73882 73885 46d53b 73884->73885 73886 46d589 __vbaGenerateBoundsError 73884->73886 73885->73886 73887 46d544 73885->73887 73888 46d560 73886->73888 73887->73888 73889 46d56c __vbaGenerateBoundsError 73887->73889 73890 46d643 73888->73890 73891 46d620 __vbaHresultCheckObj 73888->73891 73889->73888 73892 46d64d __vbaAryUnlock __vbaCastObj __vbaObjSet __vbaFreeObjList __vbaFreeVarList 73890->73892 73891->73892 73893 46d6c0 73892->73893 73894 46d711 __vbaGenerateBoundsError 73892->73894 73893->73894 73896 46d6c9 73893->73896 73895 46d6e8 73894->73895 73898 46d772 73895->73898 73899 46d74f __vbaHresultCheckObj 73895->73899 73896->73895 73897 46d6f4 __vbaGenerateBoundsError 73896->73897 73897->73895 73900 46d77c __vbaUbound 73898->73900 73899->73900 73901 46d798 __vbaAryLock 73900->73901 73900->73914 73902 46d804 __vbaGenerateBoundsError 73901->73902 73903 46d7b3 73901->73903 73904 46d810 #561 __vbaAryUnlock 73902->73904 73903->73902 73905 46d7bc 73903->73905 73906 46d859 73904->73906 73904->73914 73907 46d7e7 __vbaGenerateBoundsError 73905->73907 73908 46d7db 73905->73908 73909 46d8b7 __vbaGenerateBoundsError 73906->73909 73910 46d86f 73906->73910 73907->73908 73908->73904 73911 46d88e 73909->73911 73910->73911 73912 46d89a __vbaGenerateBoundsError 73910->73912 73913 46d8f5 __vbaHresultCheckObj 73911->73913 73911->73914 73912->73911 73913->73914 73914->73871 73924->72679 73925->72681 73926->72689 73928 47d721 73927->73928 73929 47d77b 73928->73929 73930 47d736 __vbaGenerateBoundsError 73928->73930 73931 47d756 __vbaStrCopy 73928->73931 73932 47d750 __vbaGenerateBoundsError 73928->73932 73933 47d78a __vbaSetSystemError 73929->73933 73930->73928 73931->73928 73934 47d8ed __vbaErrorOverflow 73931->73934 73932->73931 73941 47d79d 73933->73941 73935 47d8a5 __vbaFreeStr __vbaFreeStr 73935->73204 73938 47d899 __vbaSetSystemError 73938->73941 73939 47d7cc __vbaSetSystemError 73939->73934 73940 47d7dc #526 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaStrToAnsi 73939->73940 73940->73941 73941->73934 73941->73935 73941->73938 73941->73939 73942 47d817 __vbaSetSystemError __vbaStrToUnicode __vbaFreeStr 73941->73942 73943 47d855 __vbaStrCopy 73941->73943 73944 47d84f __vbaGenerateBoundsError 73941->73944 73970 47d6a0 __vbaSetSystemError 73941->73970 73942->73941 73943->73941 73945 47d86e __vbaGenerateBoundsError 73943->73945 73944->73943 73945->73941 73946->73277 73947->73469 73952->73289 73953->73476 73958->73457 73964->73443 73970->73941 73992 32c3010 73993 32c3021 73992->73993 74092 32c34db 73992->74092 73994 32c302e 73993->73994 73995 32c3058 73993->73995 73996 32c3032 GetModuleHandleA 73994->73996 74098 32c29b0 73995->74098 73996->73996 73998 32c3056 73996->73998 73998->73995 73999 32c3070 74000 32c29b0 139 API calls 73999->74000 74001 32c308c 74000->74001 74002 32c29b0 139 API calls 74001->74002 74003 32c30a4 74002->74003 74004 32c29b0 139 API calls 74003->74004 74005 32c30bc 74004->74005 74006 32c29b0 139 API calls 74005->74006 74007 32c30d4 74006->74007 74008 32c29b0 139 API calls 74007->74008 74009 32c30ec 74008->74009 74010 32c29b0 139 API calls 74009->74010 74011 32c3104 74010->74011 74012 32c29b0 139 API calls 74011->74012 74013 32c311c 74012->74013 74014 32c29b0 139 API calls 74013->74014 74015 32c3134 74014->74015 74016 32c16f0 111 API calls 74015->74016 74017 32c3139 74016->74017 74018 32c32db 74017->74018 74019 32c29b0 139 API calls 74017->74019 74020 32c16f0 111 API calls 74018->74020 74021 32c315b 74019->74021 74022 32c32e0 74020->74022 74023 32c29b0 139 API calls 74021->74023 74024 32c335e 74022->74024 74027 32c29b0 139 API calls 74022->74027 74026 32c3173 74023->74026 74025 32c16f0 111 API calls 74024->74025 74028 32c3363 74025->74028 74029 32c29b0 139 API calls 74026->74029 74030 32c32fe 74027->74030 74031 32c33b0 74028->74031 74034 32c29b0 139 API calls 74028->74034 74032 32c318b 74029->74032 74033 32c29b0 139 API calls 74030->74033 74036 32c16f0 111 API calls 74031->74036 74035 32c29b0 139 API calls 74032->74035 74037 32c3316 74033->74037 74038 32c3380 74034->74038 74039 32c31a3 74035->74039 74040 32c33b5 74036->74040 74041 32c29b0 139 API calls 74037->74041 74042 32c29b0 139 API calls 74038->74042 74043 32c29b0 139 API calls 74039->74043 74044 32c33eb 74040->74044 74049 32c29b0 139 API calls 74040->74049 74045 32c332e 74041->74045 74047 32c3398 74042->74047 74048 32c31bb 74043->74048 74046 32c29b0 139 API calls 74044->74046 74050 32c29b0 139 API calls 74045->74050 74051 32c3403 74046->74051 74052 32c29b0 139 API calls 74047->74052 74053 32c29b0 139 API calls 74048->74053 74054 32c33d3 74049->74054 74055 32c3346 74050->74055 74056 32c29b0 139 API calls 74051->74056 74052->74031 74057 32c31d3 74053->74057 74058 32c29b0 139 API calls 74054->74058 74059 32c29b0 139 API calls 74055->74059 74060 32c341b 74056->74060 74061 32c29b0 139 API calls 74057->74061 74058->74044 74059->74024 74062 32c29b0 139 API calls 74060->74062 74063 32c31eb 74061->74063 74064 32c3433 74062->74064 74065 32c29b0 139 API calls 74063->74065 74067 32c29b0 139 API calls 74064->74067 74066 32c3203 74065->74066 74068 32c29b0 139 API calls 74066->74068 74069 32c344b 74067->74069 74070 32c321b 74068->74070 74071 32c29b0 139 API calls 74069->74071 74072 32c29b0 139 API calls 74070->74072 74073 32c3463 74071->74073 74074 32c3233 74072->74074 74075 32c29b0 139 API calls 74073->74075 74076 32c29b0 139 API calls 74074->74076 74077 32c347b 74075->74077 74078 32c324b 74076->74078 74079 32c29b0 139 API calls 74077->74079 74080 32c29b0 139 API calls 74078->74080 74081 32c3493 74079->74081 74082 32c3263 74080->74082 74083 32c29b0 139 API calls 74081->74083 74084 32c29b0 139 API calls 74082->74084 74085 32c34ab 74083->74085 74087 32c327b 74084->74087 74086 32c29b0 139 API calls 74085->74086 74088 32c34c3 74086->74088 74089 32c29b0 139 API calls 74087->74089 74090 32c29b0 139 API calls 74088->74090 74091 32c3293 74089->74091 74090->74092 74093 32c29b0 139 API calls 74091->74093 74094 32c32ab 74093->74094 74095 32c29b0 139 API calls 74094->74095 74096 32c32c3 74095->74096 74097 32c29b0 139 API calls 74096->74097 74097->74018 74099 32c29e8 74098->74099 74100 32c2a68 74099->74100 74101 32c29fe 74099->74101 74102 32c2a24 GetModuleHandleA 74099->74102 74100->73999 74113 32c2a90 74101->74113 74121 32c2b30 13 API calls 74102->74121 74105 32c2a11 74105->73999 74106 32c2a32 74107 32c2a36 LoadLibraryA 74106->74107 74108 32c2a4f 74106->74108 74107->74100 74109 32c2a41 GetModuleHandleA 74107->74109 74108->74100 74110 32c2a90 135 API calls 74108->74110 74122 32c2b30 13 API calls 74109->74122 74112 32c2a65 74110->74112 74112->74100 74114 32c2ac9 #823 74113->74114 74115 32c2ab3 74113->74115 74116 32c2ae1 74114->74116 74119 32c2afd 74114->74119 74115->74105 74123 32c2c50 74116->74123 74128 32c2d50 132 API calls 74119->74128 74120 32c2b12 74120->74105 74121->74106 74122->74108 74124 32c2ccb #1153 74123->74124 74125 32c2cd5 74123->74125 74124->74125 74126 32c2cdf GetSystemInfo 74125->74126 74127 32c2cf4 74125->74127 74126->74127 74127->74119 74128->74120 74129 32c3c50 74130 32c2bd0 12 API calls 74129->74130 74131 32c3c5c 74130->74131 74132 32c3c8c 74131->74132 74133 32c3c65 CallWindowProcA 74131->74133 74134 32c3cd5 CallWindowProcA 74132->74134 74135 32c27b0 12 API calls 74132->74135 74136 32c3cbe 74135->74136 74137 32c3a80 140 API calls 74136->74137 74138 32c3cc5 74137->74138 74138->74134 74139 32c3cc9 74138->74139 74140 32c5990 74141 32c599e 74140->74141 74142 32c59a6 OpenProcess 74140->74142 74143 32c59bd 74142->74143 74144 32c59c3 K32EnumProcessModules 74142->74144 74145 32c59ee 74144->74145 74146 32c59df CloseHandle 74144->74146 74147 32c5a05 #823 K32EnumProcessModules 74145->74147 74148 32c59f6 CloseHandle 74145->74148 74149 32c5a3c CloseHandle 74147->74149 74150 32c5a2d CloseHandle 74147->74150 74151 32c36d0 74152 32c2bd0 12 API calls 74151->74152 74153 32c36db 74152->74153 74154 32c36e4 SetScrollInfo 74153->74154 74155 32c3705 74153->74155 74156 32c16f0 111 API calls 74155->74156 74157 32c370f 74156->74157 74158 32d1090 EnterCriticalSection 74157->74158 74159 32c3716 74158->74159 74160 32c374b 74159->74160 74161 32c372d SetScrollInfo 74159->74161 74164 32df550 74161->74164 74167 32df570 23 API calls 74164->74167 74166 32c3742 74167->74166 74168 32c4cd0 74169 32c2bd0 12 API calls 74168->74169 74170 32c4cd7 74169->74170 74171 32c4cec LoadLibraryA 74170->74171 74172 32c4cde LoadLibraryA 74170->74172 74173 32c27b0 12 API calls 74171->74173 74174 32c4cfe 74173->74174 74177 32c4c30 120 API calls 74174->74177 74176 32c4d05 74177->74176 74178 100ca1f0 #4798 74179 32d6590 FlatSB_GetScrollProp 74180 32d1a90 74181 32c16f0 111 API calls 74180->74181 74182 32d1aa1 74181->74182 74183 32d1090 EnterCriticalSection 74182->74183 74184 32d1aa8 74183->74184 74185 32d1aae 74184->74185 74186 32d1ad1 74184->74186 74187 32d1b02 #1176 74184->74187 74188 32d1ae5 CallWindowProcA 74186->74188 74202 32d15d0 7 API calls 74186->74202 74189 32d1b4d 74187->74189 74190 32d1b41 74187->74190 74194 32d1b4b 74189->74194 74204 32d17f0 EnterCriticalSection InterlockedIncrement #2107 74189->74204 74203 32d15d0 7 API calls 74190->74203 74197 32d1bb0 74194->74197 74199 32d1a60 74194->74199 74195 32d1b6a 74205 32d1910 EnterCriticalSection #2841 #4021 74195->74205 74206 32c2b60 74199->74206 74201 32d1a7e 74201->74197 74202->74188 74203->74194 74204->74195 74205->74194 74207 32c2bd0 12 API calls 74206->74207 74208 32c2b67 74207->74208 74209 32c2b8c CallWindowProcA 74208->74209 74210 32c2b6e CallWindowProcA 74208->74210 74209->74201 74210->74201

                                                                                    Executed Functions

                                                                                    Function 004751F0 Relevance: 1215.7, APIs: 683, Strings: 8, Instructions: 6444COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,00403446), ref: 0047520E
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,00403446), ref: 00475255
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0047527B
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Key), ref: 004752B4
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004752BF
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004752E9
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004752F4
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000,?,?,?,00403446), ref: 004752FE
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00403446), ref: 00475309
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 00475354
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047538B
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00403446), ref: 00475397
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004753F1
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004753FC
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00403446), ref: 00475406
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00403446), ref: 00475411
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 0047545C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00475499
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00403446), ref: 004754A5
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00403446), ref: 004754DE
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00403446), ref: 004754E9
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 004754F3
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004754FE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 00475549
                                                                                    • __vbaI2I4.MSVBVM60 ref: 00475567
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047557E
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047558A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475607
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 00475658
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00475681
                                                                                    • __vbaChkstk.MSVBVM60 ref: 004756B8
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004756F8
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 004756FF
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00475708
                                                                                    • #546.MSVBVM60(?), ref: 00475719
                                                                                    • #610.MSVBVM60(?), ref: 00475723
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475741
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047574F
                                                                                    • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 00475794
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 004757A9
                                                                                    • __vbaDateVar.MSVBVM60(00000000), ref: 004757B0
                                                                                    • __vbaDateR8.MSVBVM60 ref: 004757BC
                                                                                    • #662.MSVBVM60(?,0040B4F4,?,00000007,00000001,00000001), ref: 004757ED
                                                                                    • __vbaVarSub.MSVBVM60(?,?,?), ref: 00475808
                                                                                    • __vbaI4Var.MSVBVM60(00000000), ref: 0047580F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047581E
                                                                                    • __vbaFreeVarList.MSVBVM60(00000008,?,?,?,?,?,?,00000007,?), ref: 00475858
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0047589C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004758DC
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 004758E3
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 004758EC
                                                                                    • #546.MSVBVM60(?), ref: 004758FD
                                                                                    • #610.MSVBVM60(?), ref: 00475907
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475925
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00475933
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475950
                                                                                    • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 00475982
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00475997
                                                                                    • __vbaDateVar.MSVBVM60(00000000), ref: 0047599E
                                                                                    • __vbaDateR8.MSVBVM60 ref: 004759AA
                                                                                    • #662.MSVBVM60(?,0040B4F4,?,00000007,00000001,00000001), ref: 004759DB
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004759F5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040AFD4,000000A8), ref: 00475A43
                                                                                    • __vbaI4Var.MSVBVM60(?,On. Next switch will occur in: ), ref: 00475A67
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 00475A78
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 00475A7F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00475A8A
                                                                                    • __vbaStrCat.MSVBVM60(0040CC30,00000000), ref: 00475A96
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00475AA1
                                                                                    • __vbaStrCat.MSVBVM60(?,00000000), ref: 00475AAC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00475AB7
                                                                                    • __vbaStrCat.MSVBVM60(0040CC3C,00000000), ref: 00475AC3
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00475ACE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B7A0,00000054), ref: 00475B0D
                                                                                    • __vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,00000E10), ref: 00475B3F
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00475B56
                                                                                    • __vbaFreeVarList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 00475B93
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00475BC1
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475C01
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00475C08
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00475C11
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475C32
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B7A0,00000054), ref: 00475C7B
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00475C96
                                                                                    • #598.MSVBVM60 ref: 00475CA3
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475CC8
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00475CD3
                                                                                    • #546.MSVBVM60(?), ref: 00475CE3
                                                                                    • #546.MSVBVM60(?), ref: 00475CF0
                                                                                    • #552.MSVBVM60(?,?,00000001), ref: 00475D06
                                                                                    • __vbaVarDup.MSVBVM60 ref: 00475D29
                                                                                    • __vbaVarDup.MSVBVM60 ref: 00475D4F
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475D69
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040AFD4,000000A8), ref: 00475DB7
                                                                                    • #650.MSVBVM60(?,?,00000001,00000001), ref: 00475DDB
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00475DE6
                                                                                    • #650.MSVBVM60(?,?,00000001,00000001,00000000), ref: 00475DFF
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00475E0A
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 00475E11
                                                                                    • __vbaI4Var.MSVBVM60(?,00000000,00000000), ref: 00475E2B
                                                                                    • #706.MSVBVM60(00000000), ref: 00475E32
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00475E3D
                                                                                    • __vbaStrCmp.MSVBVM60(?,00000000), ref: 00475E48
                                                                                    • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00475E71
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00475E84
                                                                                    • __vbaFreeVarList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00475EB3
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475EE6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 00475F2C
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00475F47
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475F68
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 00475FAE
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00475FC9
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00475FEA
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 0047603B
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476064
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047609D
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004760A8
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 004760B2
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004760BD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00476122
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 0047617F
                                                                                    • __vbaI4Str.MSVBVM60(?), ref: 004761A5
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000009), ref: 004761C7
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004761DB
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004761E7
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047620D
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 0047625E
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476287
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004762C0
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004762CB
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 004762D5
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004762E0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00476345
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 004763A2
                                                                                    • __vbaI4Str.MSVBVM60(?), ref: 004763C8
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000003), ref: 004763EA
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004763FE
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047640A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476899
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004768A4
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 004768AE
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004768B9
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 00476904
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00476941
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047694D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476992
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047699D
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 004769A7
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004769B2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00476A17
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000060), ref: 00476A72
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00476A98
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00476AA4
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476ACC
                                                                                    • __vbaLateIdCall.MSVBVM60(00000000), ref: 00476AD3
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,Switch executed but the software is unregistered.,?), ref: 00476B3B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00476B46
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,00000000), ref: 00476B52
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00476B5D
                                                                                    • __vbaStrCat.MSVBVM60(Would you like to purchase a personal license to remove this message?,00000000), ref: 00476B69
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?), ref: 00476B91
                                                                                    • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 00476E4E
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00476E63
                                                                                    • __vbaDateVar.MSVBVM60(00000000), ref: 00476E6A
                                                                                    • __vbaDateR8.MSVBVM60 ref: 00476E76
                                                                                    • #662.MSVBVM60(?,0040B4F4,?,00000007,00000001,00000001), ref: 00476EA7
                                                                                    • __vbaVarSub.MSVBVM60(?,?,?), ref: 00476EC2
                                                                                    • __vbaI4Var.MSVBVM60(00000000), ref: 00476EC9
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476ED8
                                                                                    • __vbaFreeVarList.MSVBVM60(00000008,?,?,?,?,?,?,00000007,?), ref: 00476F12
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00476F56
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476F96
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00476F9D
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476FA6
                                                                                    • #546.MSVBVM60(?), ref: 00476FB7
                                                                                    • #610.MSVBVM60(?), ref: 00476FC1
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476FDF
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00476FED
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047700A
                                                                                    • __vbaVarCat.MSVBVM60(?,00000008,?), ref: 0047703C
                                                                                    • __vbaVarCat.MSVBVM60(?,?,00000000), ref: 00477051
                                                                                    • __vbaDateVar.MSVBVM60(00000000), ref: 00477058
                                                                                    • __vbaDateR8.MSVBVM60 ref: 00477064
                                                                                    • #662.MSVBVM60(?,0040B4F4,?,00000007,00000001,00000001), ref: 00477095
                                                                                    • __vbaStrMove.MSVBVM60(00000000), ref: 004770B8
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 004770BF
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004770CA
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B7A0,00000054), ref: 00477109
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0047712B
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047713E
                                                                                    • __vbaFreeVarList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0047717B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00477331
                                                                                    • #650.MSVBVM60(?,?,00000001,00000001,00000000), ref: 0047734A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00477355
                                                                                    • __vbaStrCmp.MSVBVM60(00000000), ref: 0047735C
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0047737A
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00477386
                                                                                    • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004773A4
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004773D7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 0047741D
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00477438
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00477459
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 0047749F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 004774BA
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004774DB
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 0047752C
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00477555
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047758E
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00477599
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 004775A3
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004775AE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00477613
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 00477670
                                                                                    • __vbaI4Str.MSVBVM60(?), ref: 00477696
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000001), ref: 004776B8
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004776CC
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004776D8
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004776FE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 0047774F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00477778
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004777B1
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004777BC
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 004777C6
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004777D1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00477836
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 00477893
                                                                                    • __vbaI4Str.MSVBVM60(?), ref: 004778B9
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000003), ref: 004778DB
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004778EF
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004778FB
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00477D8A
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00477D95
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00477D9F
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00477DAA
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 00477DF5
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00477E32
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00477E3E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00477E83
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00477E8E
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00477E98
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00477EA3
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00477F08
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000060), ref: 00477F63
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00477F89
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00477F95
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00477FBD
                                                                                    • __vbaLateIdCall.MSVBVM60(00000000), ref: 00477FC4
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00477FD0
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,Switch executed but the software is unregistered.,?), ref: 0047802E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00478039
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,00000000), ref: 00478045
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00478050
                                                                                    • __vbaStrCat.MSVBVM60(Would you like to purchase a personal license to remove this message?,00000000), ref: 0047805C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00478067
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?), ref: 00478084
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004780A8
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 004780EE
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00478109
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047812A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 00478173
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047818E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004781B4
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 00478205
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047822E
                                                                                    • #561.MSVBVM60(00000009), ref: 00478267
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047827A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004782AA
                                                                                    • __vbaStrI2.MSVBVM60(00000000), ref: 004782B8
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004782C3
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEC8,000000A4), ref: 00478308
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00478323
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047832C
                                                                                    • #561.MSVBVM60(00000009), ref: 00478356
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00478369
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478399
                                                                                    • __vbaStrI2.MSVBVM60(00000000), ref: 004783A7
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004783B2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEC8,000000A4), ref: 004783F7
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00478412
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047841B
                                                                                    • #561.MSVBVM60(00000009), ref: 00478445
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00478458
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478488
                                                                                    • __vbaStrI2.MSVBVM60(00000005), ref: 00478496
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004784A1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEC8,000000A4), ref: 004784E6
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00478501
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047850A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047852B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEC8,000000A0), ref: 00478579
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004785A5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEC8,000000A0), ref: 004785F3
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047861F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BEC8,000000A0), ref: 0047866D
                                                                                    • __vbaR8Str.MSVBVM60(?), ref: 00478689
                                                                                    • __vbaR8Str.MSVBVM60(?), ref: 004786A9
                                                                                    • __vbaR8Str.MSVBVM60(?), ref: 004786CF
                                                                                    • __vbaFpI4.MSVBVM60 ref: 004786E5
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 004786FF
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00478716
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00478741
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478781
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00478788
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00478791
                                                                                    • __vbaChkstk.MSVBVM60 ref: 004787CE
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047880E
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00478815
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047881E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047883F
                                                                                    • __vbaStrMove.MSVBVM60(00000E10,On. Next switch will occur in: ), ref: 0047886D
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 00478874
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047887F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B7A0,00000054), ref: 004788BE
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004788E0
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 004788EC
                                                                                    • #598.MSVBVM60 ref: 004788F9
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478944
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 0047898A
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 004789A5
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004789C6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 00478A0C
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00478A27
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478A48
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 00478A99
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00478AC2
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478AFB
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00478B06
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00478B10
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478B1B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00478B80
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 00478BDD
                                                                                    • __vbaI4Str.MSVBVM60(?), ref: 00478C03
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000001), ref: 00478C25
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00478C39
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00478C45
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478C6B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 00478CBC
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00478CE5
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478D1E
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00478D29
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00478D33
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00478D3E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00478DA3
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 00478E00
                                                                                    • __vbaI4Str.MSVBVM60(?), ref: 00478E26
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000003), ref: 00478E48
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00478E5C
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00478E68
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004792F7
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00479302
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0047930C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479317
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 00479362
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047939F
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 004793AB
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004793F0
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004793FB
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00479405
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479410
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00479475
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000060), ref: 004794D0
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004794F6
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00479502
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047952A
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00479535
                                                                                    • __vbaBoolVar.MSVBVM60(00000000), ref: 0047953F
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479563
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047956E
                                                                                    • __vbaBoolVar.MSVBVM60(00000000), ref: 00479578
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00479592
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004795A5
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004795DB
                                                                                    • __vbaLateIdCall.MSVBVM60(00000000), ref: 004795E2
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 004795EE
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,Switch executed but the software is unregistered.,?), ref: 0047964C
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00479657
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,00000000), ref: 00479663
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047966E
                                                                                    • __vbaStrCat.MSVBVM60(Would you like to purchase a personal license to remove this message?,00000000), ref: 0047967A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00479685
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?), ref: 004796A2
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004796C6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 0047970C
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00479727
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479748
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 00479791
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 004797AC
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004797D2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 00479823
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047984C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479885
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00479890
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0047989A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004798A5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000024), ref: 0047990A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000084), ref: 0047996F
                                                                                    • #561.MSVBVM60(00000008), ref: 004799AB
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004799D1
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004799E4
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479A20
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00479A2B
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00479A35
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479A40
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000024), ref: 00479AA5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000084), ref: 00479B0A
                                                                                    • __vbaI4Str.MSVBVM60(00000000), ref: 00479B26
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00479B35
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00479B49
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00479B55
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00479B7D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479BBD
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00479BC4
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00479BCD
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00479C0A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479C4A
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00479C51
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00479C5A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479C7B
                                                                                    • __vbaI4Var.MSVBVM60(?,On. Next switch will occur in: ), ref: 004770A7
                                                                                      • Part of subcall function 0047DFC0: __vbaVarDup.MSVBVM60 ref: 0047E00B
                                                                                      • Part of subcall function 0047DFC0: #660.MSVBVM60(?,?,?,00000001,00000001), ref: 0047E05C
                                                                                      • Part of subcall function 0047DFC0: __vbaStrVarMove.MSVBVM60(?,?,?,?,00000001,00000001), ref: 0047E066
                                                                                      • Part of subcall function 0047DFC0: __vbaStrMove.MSVBVM60(?,?,?,00000001,00000001), ref: 0047E071
                                                                                      • Part of subcall function 0047DFC0: __vbaFreeVarList.MSVBVM60(00000003,00000005,?,?,?,?,?,00000001,00000001), ref: 0047E085
                                                                                    • __vbaChkstk.MSVBVM60 ref: 004771A9
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004771E9
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 004771F0
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 004771F9
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047721A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B7A0,00000054), ref: 00477263
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047727E
                                                                                    • #598.MSVBVM60 ref: 0047728B
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004772B0
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 004772BB
                                                                                    • #546.MSVBVM60(?), ref: 004772CB
                                                                                    • __vbaVarDup.MSVBVM60 ref: 004772EE
                                                                                    • __vbaVarDup.MSVBVM60 ref: 00477314
                                                                                    • #650.MSVBVM60(?,?,00000001,00000001), ref: 00477326
                                                                                    • __vbaStrMove.MSVBVM60(00000E10,On. Next switch will occur in: ), ref: 00479CA9
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 00479CB0
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00479CBB
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B7A0,00000054), ref: 00479CFA
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 00479D1C
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00479D28
                                                                                    • #598.MSVBVM60 ref: 00479D35
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479D80
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 00479DC6
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00479DE1
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479E02
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 00479E48
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00479E63
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479E84
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 00479ED5
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00479EFE
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479F37
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00479F42
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00479F4C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00479F57
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 00479FBC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 0047A019
                                                                                    • __vbaI4Str.MSVBVM60(00000000), ref: 0047A03F
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000001), ref: 0047A061
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0047A075
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047A081
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A0A7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 0047A0F8
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047A121
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A15A
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047A165
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0047A16F
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A17A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 0047A1DF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000024), ref: 0047A23C
                                                                                    • __vbaI4Str.MSVBVM60(00000000), ref: 0047A262
                                                                                    • __vbaFreeStr.MSVBVM60(?,00000003), ref: 0047A284
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0047A298
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047A2A4
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A733
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047A73E
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0047A748
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A753
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 0047A79E
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047A7DB
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047A7E7
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A82C
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047A837
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0047A841
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A84C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 0047A8B1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000060), ref: 0047A90C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0047A932
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047A93E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A966
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047A971
                                                                                    • __vbaBoolVar.MSVBVM60(00000000), ref: 0047A97B
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047A99F
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047A9AA
                                                                                    • __vbaBoolVar.MSVBVM60(00000000), ref: 0047A9B4
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047A9CE
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0047A9E1
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047AA17
                                                                                    • __vbaLateIdCall.MSVBVM60(00000000), ref: 0047AA1E
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047AA2A
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,Switch executed but the software is unregistered.,?), ref: 0047AA88
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047AA93
                                                                                    • __vbaStrCat.MSVBVM60(0040B208,00000000), ref: 0047AA9F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047AAAA
                                                                                    • __vbaStrCat.MSVBVM60(Would you like to purchase a personal license to remove this message?,00000000), ref: 0047AAB6
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047AAC1
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00476B74
                                                                                      • Part of subcall function 0047EE10: #595.MSVBVM60(?,00000004,?,?,?,?,00000000), ref: 0047EE74
                                                                                      • Part of subcall function 0047EE10: __vbaI2I4.MSVBVM60(?,00000000), ref: 0047EE7C
                                                                                      • Part of subcall function 0047EE10: __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000), ref: 0047EE92
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476BB5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 00476BFB
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476C16
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476C37
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 00476C80
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476C9B
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476CC1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B088,000000E0), ref: 00476D12
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476D3B
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00476D72
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476DB2
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 00476DB9
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476DC2
                                                                                    • #546.MSVBVM60(?), ref: 00476DD3
                                                                                    • #610.MSVBVM60(?), ref: 00476DDD
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00476DFB
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00476E09
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00476ADF
                                                                                      • Part of subcall function 0047EB80: #561.MSVBVM60(?,00000002,6C97D8B1,?), ref: 0047EBC2
                                                                                      • Part of subcall function 0047EB80: __vbaStrCmp.MSVBVM60(0040C118), ref: 0047EBDA
                                                                                      • Part of subcall function 0047EB80: __vbaStrI2.MSVBVM60(00000001), ref: 0047EBF4
                                                                                      • Part of subcall function 0047EB80: __vbaStrMove.MSVBVM60 ref: 0047EBFF
                                                                                    • __vbaFreeStrList.MSVBVM60(00000003,00000000,?,?,?), ref: 0047AADE
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047AB02
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,0000005C), ref: 0047AB48
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047AB63
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047AB84
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B500,00000064), ref: 0047ABCD
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047ABE8
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047AC36
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047AC41
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0047AC4B
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047AC56
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000001C), ref: 0047ACA1
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047ACDE
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047ACEA
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047AD2F
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047AD3A
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0047AD44
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047AD4F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,00000030), ref: 0047ADB4
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B064,00000060), ref: 0047AE0F
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0047AE35
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047AE41
                                                                                    • __vbaExitProc.MSVBVM60(?,?,?,?,?,?,00403446), ref: 0047B04B
                                                                                    • __vbaFreeStr.MSVBVM60(0047B0E6,?,?,?,?,?,?,00403446), ref: 0047B0DF
                                                                                    • __vbaErrorOverflow.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00403446), ref: 0047B10D
                                                                                    • __vbaChkstk.MSVBVM60(00000000,00403446), ref: 0047B13E
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,00000000,00403446), ref: 0047B16E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000058), ref: 0047B1B1
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047B205
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0047B210
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000,?,?,00000000,00403446), ref: 0047B21A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,00000000,00403446), ref: 0047B225
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000002C), ref: 0047B269
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047B28B
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,00403446), ref: 0047B297
                                                                                    • __vbaNew.MSVBVM60(0040D048,?,?,?,?,?,00000000,00403446), ref: 0047B2A9
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00000000,00403446), ref: 0047B2B4
                                                                                    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,00000000,00403446), ref: 0047B2C2
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,00000000,00403446), ref: 0047B2CB
                                                                                    • __vbaStrCmp.MSVBVM60(0040C118), ref: 0047B361
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BFBC,00000020), ref: 0047B43F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$CheckHresult$List$Late$Call$Move$Cast$Chkstk$Date$#546$#561$#598#610#650#662Bool$Error$#552#595#660#689#706AddrefExitOverflowProc
                                                                                    • String ID: Automatically Switch Between Applications At Certain Times Software$Key$On. Next switch will occur in: $Sobolsoft$Switch executed but the software is unregistered.$Would you like to purchase a personal license to remove this message?$hh:nn:ss AMPM$~
                                                                                    • API String ID: 2869593464-648391333
                                                                                    • Opcode ID: 78eba51e6d756e10fc0794b03899d7e79cf61e7abcad5452b517b742c73215d3
                                                                                    • Instruction ID: 20e8edd8969d9dcb7c68adfde7cd852472b3fa75be869a0ce99eb4e53fb9ee89
                                                                                    • Opcode Fuzzy Hash: 78eba51e6d756e10fc0794b03899d7e79cf61e7abcad5452b517b742c73215d3
                                                                                    • Instruction Fuzzy Hash: D4D30C75900218EFDB14DFA0CD89BDEB7B4FF48704F108599E60AAB250DB749A85CFA4
                                                                                    Function 00467E30 Relevance: 883.3, APIs: 447, Strings: 55, Instructions: 4823COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,00403446), ref: 00467E4E
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,00403446), ref: 00467E95
                                                                                      • Part of subcall function 0047E0E0: __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047E145
                                                                                      • Part of subcall function 0047E0E0: __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014), ref: 0047E170
                                                                                      • Part of subcall function 0047E0E0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047E198
                                                                                      • Part of subcall function 0047E0E0: __vbaStrCat.MSVBVM60(\x\o.cjs,?), ref: 0047E1A3
                                                                                      • Part of subcall function 0047E0E0: #645.MSVBVM60(?,00000000), ref: 0047E1B8
                                                                                      • Part of subcall function 0047E0E0: __vbaStrMove.MSVBVM60 ref: 0047E1C3
                                                                                      • Part of subcall function 0047E0E0: __vbaStrCmp.MSVBVM60(0040C118,00000000), ref: 0047E1CF
                                                                                      • Part of subcall function 0047E0E0: __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0047E1E9
                                                                                      • Part of subcall function 0047E0E0: __vbaFreeObj.MSVBVM60 ref: 0047E1F5
                                                                                      • Part of subcall function 0047E0E0: __vbaFreeVar.MSVBVM60 ref: 0047E1FE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000054), ref: 00467F02
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00467F34
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BA8C,00000160), ref: 00467FA0
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 00467FD3
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000164), ref: 0046800F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046802A
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00468056
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BCA8,00000014), ref: 004680BC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BCC8,00000050), ref: 00468119
                                                                                    • __vbaStrCat.MSVBVM60(\HAND-M.CUR,?), ref: 0046813A
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00468145
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 0046816D
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,00403446), ref: 00468179
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8,?,?,00403446), ref: 004681A8
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00468235
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000014), ref: 0046829B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 004682F8
                                                                                    • __vbaStrCat.MSVBVM60(\HAND-M.CUR,?), ref: 00468319
                                                                                    • __vbaChkstk.MSVBVM60(?), ref: 00468332
                                                                                    • __vbaChkstk.MSVBVM60(?), ref: 00468361
                                                                                    • __vbaChkstk.MSVBVM60(?), ref: 00468390
                                                                                    • __vbaChkstk.MSVBVM60(?), ref: 004683BF
                                                                                    • __vbaChkstk.MSVBVM60(?), ref: 004683EE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000044), ref: 00468444
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 00468477
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000224), ref: 004684B3
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004684CE
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004684DE
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,00403446), ref: 004684EA
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046851C
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Key), ref: 00468555
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00468560
                                                                                    • __vbaChkstk.MSVBVM60(?), ref: 004685A1
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Loads,?), ref: 004685DA
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004685E5
                                                                                    • __vbaR8Str.MSVBVM60(00000000), ref: 004685EC
                                                                                    • __vbaStrR8.MSVBVM60(?,?,?,?,00403446), ref: 00468608
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,00403446), ref: 00468613
                                                                                    • #690.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Loads,00000000,?,?,?,?,00403446), ref: 00468629
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00403446), ref: 00468639
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00468662
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Loads), ref: 0046869B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 004686A6
                                                                                    • __vbaR8Str.MSVBVM60(00000000), ref: 004686AD
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 004686F8
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 0046873B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000098), ref: 004687AA
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 004687D5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000098), ref: 00468844
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 0046889E
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 004688DB
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000070), ref: 00468944
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000074), ref: 0046899B
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 004689CD
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 00468A0A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000078), ref: 00468A73
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,0000007C), ref: 00468ACA
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00468AFC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000080), ref: 00468B6B
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00468B96
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00468BD3
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000070), ref: 00468C3C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000074), ref: 00468CA6
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00468CD8
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000070), ref: 00468D41
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00468D95
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000070), ref: 00468DFE
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00468E52
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000070), ref: 00468EBB
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00468EE6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 00468F4C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000080), ref: 00468FB2
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00468FDD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000080), ref: 0046904C
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00469077
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 004690DD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000080), ref: 00469143
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0046916E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 004691D4
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000098), ref: 0046923A
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00469265
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 004692CB
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000080), ref: 00469331
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 0046935C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000078), ref: 004693C5
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 004693F0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 00469456
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000088), ref: 004694BC
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 004694E7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000088), ref: 00469556
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00469581
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 004695E7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000088), ref: 0046964D
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00469678
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 004696DE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000050), ref: 0046973E
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 00469769
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000018), ref: 004697CF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BD10,00000088), ref: 00469835
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00469866
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00469874
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00469889
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00469897
                                                                                    • __vbaFpI4.MSVBVM60 ref: 004698B2
                                                                                    • __vbaFpI4.MSVBVM60 ref: 004698C0
                                                                                    • __vbaFpI4.MSVBVM60 ref: 004698DF
                                                                                    • __vbaFpI4.MSVBVM60 ref: 004698ED
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00469902
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00469910
                                                                                    • __vbaFpI4.MSVBVM60 ref: 0046992B
                                                                                    • __vbaFpI4.MSVBVM60 ref: 00469939
                                                                                    • __vbaFreeObjList.MSVBVM60(00000008,?,?,?,?,?,?,?,?), ref: 0046997B
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 004699AD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,00000074), ref: 00469A11
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00469A43
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,0000007C), ref: 00469AA7
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 00469AD9
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00469B30
                                                                                    • __vbaChkstk.MSVBVM60 ref: 00469B5F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,000002B0), ref: 00469BC7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000058), ref: 00469C1C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00469C63
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00469C6E
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000,?,?,?,?,?,?,00403446), ref: 00469C78
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00403446), ref: 00469C83
                                                                                    • __vbaVarDup.MSVBVM60 ref: 00469CEB
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,0000003C), ref: 00469D7C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00469DA2
                                                                                    • __vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00469DDB
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00469E08
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00469E13
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00469E1D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00469E28
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,00000024), ref: 00469E88
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,00000060), ref: 00469EE6
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00469F0C
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00469F22
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00469F4F
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 00469F5A
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 00469F64
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00469F6F
                                                                                    • __vbaVarDup.MSVBVM60 ref: 00469FD7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,0000003C), ref: 0046A068
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046A08E
                                                                                    • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,?,?,?,?), ref: 0046A0C7
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A0F4
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046A0FF
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0046A109
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A114
                                                                                    • __vbaVarDup.MSVBVM60 ref: 0046A17C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,0000003C), ref: 0046A20D
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046A233
                                                                                    • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,?,0000000A,0000000A,0000000A), ref: 0046A26C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A299
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046A2A4
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0046A2AE
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A2B9
                                                                                    • __vbaVarDup.MSVBVM60 ref: 0046A321
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,0000003C), ref: 0046A3B2
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046A3D8
                                                                                    • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,?,0000000A,0000000A,0000000A), ref: 0046A411
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A43E
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046A449
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0046A453
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A45E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,00000024), ref: 0046A4BE
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,00000060), ref: 0046A51C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046A542
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,00000002), ref: 0046A558
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A585
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046A590
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0046A59A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A5A5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,00000024), ref: 0046A605
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,00000060), ref: 0046A663
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046A689
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,00000002), ref: 0046A69F
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A6CC
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046A6D7
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0046A6E1
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A6EC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,00000024), ref: 0046A74C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,00000060), ref: 0046A7AA
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046A7D0
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,00000002), ref: 0046A7E6
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A813
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046A81E
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0046A828
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A833
                                                                                    • __vbaVarDup.MSVBVM60 ref: 0046A89B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,0000003C), ref: 0046A92C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046A952
                                                                                    • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,?,0000000A,0000000A,0000000A), ref: 0046A98B
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A9B8
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000), ref: 0046A9C3
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000), ref: 0046A9CD
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046A9D8
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDA8,00000024), ref: 0046AA38
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BDB8,00000060), ref: 0046AA93
                                                                                    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0046AAB9
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,00000002), ref: 0046AACF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000058), ref: 0046AB15
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046AB95
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046ABBA
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option1), ref: 0046ABF3
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046ABFE
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046AC05
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046AC4A
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046AC65
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046AC6E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046AC8F
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046ACB4
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option2), ref: 0046ACED
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046ACF8
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046ACFF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046AD44
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046AD5F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046AD68
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046AD89
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046ADAE
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option3), ref: 0046ADE7
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046ADF2
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046ADF9
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046AE3E
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046AE59
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046AE62
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046AE83
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046AEA8
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option8), ref: 0046AEE1
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046AEEC
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046AEF3
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046AF38
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046AF53
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046AF5C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046AF7D
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046AFA2
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option4), ref: 0046AFDB
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046AFE6
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046AFED
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046B032
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B04D
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B056
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B077
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B09C
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option5), ref: 0046B0D5
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B0E0
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046B0E7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046B12C
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B147
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B150
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B171
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B196
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option6), ref: 0046B1CF
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B1DA
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046B1E1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046B226
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B241
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B24A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B26B
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B290
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Option7), ref: 0046B2C9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B2D4
                                                                                    • __vbaBoolStr.MSVBVM60(00000000), ref: 0046B2DB
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B088,000000E4), ref: 0046B320
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B33B
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B344
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2FC,00000704), ref: 0046B384
                                                                                    • #612.MSVBVM60(?), ref: 0046B3A7
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B3B2
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Weekly Time), ref: 0046B3DF
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B3F7
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B431
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0046B438
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B441
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,00000008), ref: 0046B454
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B478
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B49D
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Weekly), ref: 0046B4D6
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B4E1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFD4,000000AC), ref: 0046B526
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B541
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B54A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B56B
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B590
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Text1), ref: 0046B5C9
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B5D4
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BEC8,000000A4), ref: 0046B619
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B634
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B63D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B65E
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B683
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Text2), ref: 0046B6BC
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B6C7
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BEC8,000000A4), ref: 0046B70C
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B727
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B730
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B751
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B776
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Text3), ref: 0046B7AF
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B7BA
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BEC8,000000A4), ref: 0046B7FF
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046B81A
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B823
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046B849
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,StartStopState), ref: 0046B882
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046B88D
                                                                                    • __vbaStrCmp.MSVBVM60(Off,?), ref: 0046B8A3
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B8CC
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B500,0000005C), ref: 0046B912
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B92D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B94E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B500,00000064), ref: 0046B994
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046B9AF
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046B9D0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B7A0,00000054), ref: 0046BA19
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046BA34
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,000000A4), ref: 0046BA78
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046BAB0
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046BAF0
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0046BAF7
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046BB00
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046BB26
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046BB69
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0046BB70
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046BB79
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046BB9F
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046BBE2
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0046BBE9
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046BBF2
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046C4D0
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Windows Startup), ref: 0046C509
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046C514
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046C52E
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046C572
                                                                                    • __vbaStrCmp.MSVBVM60(0040B01C,00000000), ref: 0046C57E
                                                                                    • #681.MSVBVM60(0000000A,0000000B,00000003,00000003), ref: 0046C5B5
                                                                                    • __vbaI2Var.MSVBVM60(0000000A), ref: 0046C5C2
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFE4,000000E4), ref: 0046C607
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 0046C629
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046C635
                                                                                    • __vbaFreeVarList.MSVBVM60(00000004,0000000B,00000003,00000003,0000000A), ref: 0046C656
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046C67F
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Minimized), ref: 0046C6B8
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046C6C3
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046C6DD
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046C721
                                                                                    • __vbaStrCmp.MSVBVM60(0040B01C,00000000), ref: 0046C72D
                                                                                    • #681.MSVBVM60(0000000A,0000000B,00000003,00000003), ref: 0046C764
                                                                                    • __vbaI2Var.MSVBVM60(0000000A), ref: 0046C771
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFE4,000000E4), ref: 0046C7B6
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 0046C7D8
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046C7E4
                                                                                    • __vbaFreeVarList.MSVBVM60(00000004,0000000B,00000003,00000003,0000000A), ref: 0046C805
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046C829
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFE4,000000E0), ref: 0046C87A
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046C8AD
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046C8DD
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFE4,0000009C), ref: 0046C929
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046C944
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046C965
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFE4,000000E0), ref: 0046C9B6
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046C9E9
                                                                                    • __vbaI2I4.MSVBVM60 ref: 0046CA06
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,0000009C), ref: 0046CA42
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046CA7A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFE4,0000009C), ref: 0046CAC6
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046CAE1
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046CB17
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0046CB5A
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0046CB61
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046CB6A
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 0046CB8A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BA8C,00000160), ref: 0046CBF6
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 0046CC29
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040A2CC,00000164), ref: 0046CC65
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046CC80
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046CCA6
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0046CCE9
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0046CCF0
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0046CCF9
                                                                                    • __vbaExitProc.MSVBVM60 ref: 0046CF1B
                                                                                    • __vbaFreeStr.MSVBVM60(0046CFCF), ref: 0046CFBF
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0046CFC8
                                                                                    • __vbaErrorOverflow.MSVBVM60 ref: 0046CFF6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00401A98,0040A2CC,000000A0), ref: 0046D064
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00401A98,0040A2CC,000000A4), ref: 0046D08D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$Free$Chkstk$New2$List$Move$#689$Late$CallCast$Bool$#681Error$#612#645#690ExitOverflowProc
                                                                                    • String ID: (pH$(pH$@c`$Automatically Switch Between Applications At Certain Times Software$Available Applications (Double-click item to add to Queue below)$Handle$Key$Loads$Minimized$Monday$Off$Off.$Option1$Option2$Option3$Option4$Option5$Option6$Option7$Option8$Progress Bar$Queue (Double-click item to remove it)$Sobolsoft$StartStopState$Status$Text1$Text2$Text3$Time Before Switch$Turn Off$Turn On$Weekly$Weekly Time$Windows Startup$\HAND-M.CUR$pI`$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$ppH$}
                                                                                    • API String ID: 3112866304-310004689
                                                                                    • Opcode ID: e87683e70ffe761e1e47ecc2aae8c7dab42ad3e6a2b4debc3d16e41c98c20ba7
                                                                                    • Instruction ID: ddb70e3e7d71757f8b8ba422a62bffd67cb59daa754c2e09c49d4506fff087ef
                                                                                    • Opcode Fuzzy Hash: e87683e70ffe761e1e47ecc2aae8c7dab42ad3e6a2b4debc3d16e41c98c20ba7
                                                                                    • Instruction Fuzzy Hash: E0B306B5900218EFDB24DF64C988BDDBBB4FB48304F1085EAE50AB7290DB745A85CF95
                                                                                    Function 0047EEE0 Relevance: 379.8, APIs: 208, Strings: 8, Instructions: 1808COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaCastObj.MSVBVM60(004031C8,0040D6E4), ref: 0047EF64
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047EF75
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047EF87
                                                                                    • __vbaStrCat.MSVBVM60( (Trial Version),Automatically Switch Between Applications At Certain Times Software), ref: 0047EF99
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047EFA4
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,004031C8,0040BA8C,00000054), ref: 0047EFBE
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0047EFC7
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047EFE0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014), ref: 0047F005
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047F029
                                                                                    • __vbaStrCat.MSVBVM60(\HAND-M.CUR,?), ref: 0047F038
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047F043
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000), ref: 0047F064
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F070
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047F092
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047F0BF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCA8,00000014), ref: 0047F0EF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047F11D
                                                                                    • __vbaStrCat.MSVBVM60(\HAND-M.CUR,?), ref: 0047F12C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000044), ref: 0047F1F0
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 0047F207
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,004031C8,0040BA8C,00000224), ref: 0047F223
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0047F22C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F23C
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047F248
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F25C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,00000054), ref: 0047F27A
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F283
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F297
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,00000054), ref: 0047F2B5
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F2BE
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F2D2
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F2E8
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,00000078), ref: 0047F308
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D784,0000007C), ref: 0047F343
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F353
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F36A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F380
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,00000070), ref: 0047F3A0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D784,00000074), ref: 0047F3DB
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F3EB
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F402
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F418
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,00000080), ref: 0047F43E
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D784,00000084), ref: 0047F46C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F47C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F493
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F4A9
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,00000088), ref: 0047F4CF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040D784,0000008C), ref: 0047F4FD
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F50D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F524
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,000000E4), ref: 0047F545
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F54E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F562
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040D784,000000E4), ref: 0047F583
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F58C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F5A0
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA44,000000C4), ref: 0047F5C1
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F5CA
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047F5E3
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014), ref: 0047F608
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047F62C
                                                                                    • __vbaStrCat.MSVBVM60(\icon256.gif,?), ref: 0047F63B
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047F646
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0047F64F
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F658
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8,?), ref: 0047F684
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014), ref: 0047F6A9
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047F6CD
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047F6E6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014), ref: 0047F70B
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047F72F
                                                                                    • __vbaStrCat.MSVBVM60(\Video\*.*,?), ref: 0047F744
                                                                                    • __vbaStrCat.MSVBVM60(\Video\,?), ref: 0047F759
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047F760
                                                                                    • #645.MSVBVM60(00000008,00000000,00000000), ref: 0047F76D
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047F778
                                                                                    • __vbaStrCat.MSVBVM60(00000000), ref: 0047F77F
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047F786
                                                                                      • Part of subcall function 0047DCD0: __vbaChkstk.MSVBVM60(00000000,00403446,?,?,?,?,?,00403446), ref: 0047DCEE
                                                                                      • Part of subcall function 0047DCD0: __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD1B
                                                                                      • Part of subcall function 0047DCD0: __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403446), ref: 0047DD2A
                                                                                      • Part of subcall function 0047DCD0: #577.MSVBVM60(?,?,?,?,?,00000000,00403446), ref: 0047DD3F
                                                                                      • Part of subcall function 0047DCD0: __vbaStrVarMove.MSVBVM60(?,?,?,?,00000000,00403446), ref: 0047DD49
                                                                                      • Part of subcall function 0047DCD0: __vbaStrMove.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD54
                                                                                      • Part of subcall function 0047DCD0: __vbaFreeVar.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD5D
                                                                                      • Part of subcall function 0047DCD0: #685.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD6A
                                                                                      • Part of subcall function 0047DCD0: __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,00000000,00403446), ref: 0047DD75
                                                                                      • Part of subcall function 0047DCD0: __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B124,0000001C), ref: 0047DDA8
                                                                                      • Part of subcall function 0047DCD0: __vbaFreeObj.MSVBVM60 ref: 0047DDCC
                                                                                      • Part of subcall function 0047DCD0: __vbaOnError.MSVBVM60(00000000), ref: 0047DDFF
                                                                                      • Part of subcall function 0047DCD0: __vbaFreeStr.MSVBVM60(0047DE32), ref: 0047DE22
                                                                                      • Part of subcall function 0047DCD0: __vbaFreeStr.MSVBVM60 ref: 0047DE2B
                                                                                    • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?,00000000), ref: 0047F7B3
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F7C3
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047F7CF
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F80E
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047F817
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047F81C
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F837
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047F83E
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047F848
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F892
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047F895
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F8A1
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047F8AD
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F8C8
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047F8CF
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047F8D9
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F923
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047F926
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F932
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047F93E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F959
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047F960
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047F96A
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047F9B4
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047F9B7
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047F9C3
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047F9CF
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 0047F9E8
                                                                                    • __vbaNew2.MSVBVM60(00406904,pI`), ref: 0047FA07
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00604970,0040BA8C,00000088), ref: 0047FA36
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BA8C,0000008C), ref: 0047FA77
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047FA8B
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047FAA6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000044), ref: 0047FB7D
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 0047FB9A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA44,0000005C), ref: 0047FBC2
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047FBD8
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0047FBF2
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047FBF9
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047FC03
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047FC4D
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047FC50
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 0047FC60
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047FC68
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0047FC83
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047FC8A
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047FC94
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047FCDE
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047FCE1
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 0047FCF1
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047FCF9
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0047FD14
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047FD1B
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047FD25
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047FD6F
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047FD72
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 0047FD82
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047FD8A
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0047FDA5
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047FDAC
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047FDB6
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047FE00
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047FE03
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 0047FE13
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047FE1B
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0047FE36
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047FE3D
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047FE47
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047FE91
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047FE94
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 0047FEA4
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047FEAC
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0047FEC7
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047FECE
                                                                                    • __vbaR4Var.MSVBVM60(00000000), ref: 0047FED8
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047FF22
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047FF25
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,00000000,?), ref: 0047FF35
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047FF3D
                                                                                    • __vbaFreeStr.MSVBVM60(00480449), ref: 00480442
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$CheckHresult$Late$List$CallNew2$Move$Error$#577#645#685CastChkstkCopy
                                                                                    • String ID: (Trial Version)$Automatically Switch Between Applications At Certain Times Software$Buy a personal license for $19.99 to make this software fully functional (and remove this window)$\HAND-M.CUR$\Video\$\Video\*.*$\icon256.gif$pI`
                                                                                    • API String ID: 1797318748-562604792
                                                                                    • Opcode ID: a5e5a9318a843cbe5b08f74233ea0aabd5204349a6d3ab216da67db84ad0e8bd
                                                                                    • Instruction ID: 40410d74351b1fba9e60b64b4a571be4819065b3da3b04bed92c6c34b025ab23
                                                                                    • Opcode Fuzzy Hash: a5e5a9318a843cbe5b08f74233ea0aabd5204349a6d3ab216da67db84ad0e8bd
                                                                                    • Instruction Fuzzy Hash: B3E20CB0A00209AFDB00EFA4DD88FAEBBB8FF48705F108569F545E72A1D6749949CF54
                                                                                    Function 0046D0C0 Relevance: 114.3, APIs: 60, Strings: 5, Instructions: 536COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1556 46d0c0-46d185 __vbaChkstk __vbaOnError __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet 1559 46d187-46d1a8 __vbaHresultCheckObj 1556->1559 1560 46d1aa 1556->1560 1561 46d1b4-46d252 __vbaFreeObjList __vbaFreeVar __vbaChkstk #689 __vbaStrMove __vbaStrCmp 1559->1561 1560->1561 1562 46d92e-46dbed __vbaExitProc __vbaAryDestruct __vbaFreeStr __vbaAryDestruct __vbaFreeObj 1561->1562 1563 46d258-46d32d __vbaVarDup #711 __vbaAryVar __vbaAryCopy __vbaFreeVarList __vbaUbound __vbaI2I4 1561->1563 1563->1562 1567 46d333-46d33e 1563->1567 1568 46d390-46d396 __vbaGenerateBoundsError 1567->1568 1569 46d340-46d347 1567->1569 1571 46d39c-46d3b9 __vbaStrCmp 1568->1571 1569->1568 1570 46d349-46d365 1569->1570 1572 46d367-46d371 1570->1572 1573 46d373-46d379 __vbaGenerateBoundsError 1570->1573 1574 46d922 1571->1574 1575 46d3bf-46d3ed __vbaVarDup 1571->1575 1576 46d37f-46d38e 1572->1576 1573->1576 1574->1562 1577 46d43f-46d445 __vbaGenerateBoundsError 1575->1577 1578 46d3ef-46d3f6 1575->1578 1576->1571 1580 46d44b-46d539 #711 __vbaAryVar __vbaAryCopy __vbaFreeVarList __vbaObjSet __vbaLateIdCallLd __vbaCastObjVar __vbaObjSet __vbaAryLock 1577->1580 1578->1577 1579 46d3f8-46d414 1578->1579 1581 46d416-46d420 1579->1581 1582 46d422-46d428 __vbaGenerateBoundsError 1579->1582 1585 46d53b-46d542 1580->1585 1586 46d589-46d58f __vbaGenerateBoundsError 1580->1586 1584 46d42e-46d43d 1581->1584 1582->1584 1584->1580 1585->1586 1587 46d544-46d55e 1585->1587 1588 46d595-46d61e 1586->1588 1589 46d560-46d56a 1587->1589 1590 46d56c-46d572 __vbaGenerateBoundsError 1587->1590 1593 46d643 1588->1593 1594 46d620-46d641 __vbaHresultCheckObj 1588->1594 1591 46d578-46d587 1589->1591 1590->1591 1591->1588 1595 46d64d-46d6be __vbaAryUnlock __vbaCastObj __vbaObjSet __vbaFreeObjList __vbaFreeVarList 1593->1595 1594->1595 1596 46d6c0-46d6c7 1595->1596 1597 46d711-46d717 __vbaGenerateBoundsError 1595->1597 1596->1597 1599 46d6c9-46d6e6 1596->1599 1598 46d71d-46d74d 1597->1598 1604 46d772 1598->1604 1605 46d74f-46d770 __vbaHresultCheckObj 1598->1605 1600 46d6f4-46d6fa __vbaGenerateBoundsError 1599->1600 1601 46d6e8-46d6f2 1599->1601 1602 46d700-46d70f 1600->1602 1601->1602 1602->1598 1606 46d77c-46d792 __vbaUbound 1604->1606 1605->1606 1606->1574 1607 46d798-46d7b1 __vbaAryLock 1606->1607 1608 46d804-46d80a __vbaGenerateBoundsError 1607->1608 1609 46d7b3-46d7ba 1607->1609 1610 46d810-46d853 #561 __vbaAryUnlock 1608->1610 1609->1608 1611 46d7bc-46d7d9 1609->1611 1610->1574 1612 46d859-46d864 1610->1612 1613 46d7e7-46d7ed __vbaGenerateBoundsError 1611->1613 1614 46d7db-46d7e5 1611->1614 1615 46d866-46d86d 1612->1615 1616 46d8b7-46d8bd __vbaGenerateBoundsError 1612->1616 1617 46d7f3-46d802 1613->1617 1614->1617 1615->1616 1618 46d86f-46d88c 1615->1618 1619 46d8c3-46d8f3 1616->1619 1617->1610 1620 46d88e-46d898 1618->1620 1621 46d89a-46d8a0 __vbaGenerateBoundsError 1618->1621 1624 46d8f5-46d916 __vbaHresultCheckObj 1619->1624 1625 46d918 1619->1625 1622 46d8a6-46d8b5 1620->1622 1621->1622 1622->1619 1624->1574 1625->1574
                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(?,00403446), ref: 0046D0DE
                                                                                    • __vbaOnError.MSVBVM60(00000001,?,?,?,?,00403446), ref: 0046D10E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00403446), ref: 0046D138
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,00000000,?,?,?,?,00403446), ref: 0046D143
                                                                                    • __vbaCastObjVar.MSVBVM60(00000000,?,?,?,00403446), ref: 0046D14D
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00403446), ref: 0046D158
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B054,0000002C), ref: 0046D19C
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0046D1BE
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00403446), ref: 0046D1CA
                                                                                    • __vbaChkstk.MSVBVM60 ref: 0046D1F0
                                                                                    • #689.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Queued Windows), ref: 0046D229
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0046D234
                                                                                    • __vbaStrCmp.MSVBVM60(0040C118,?), ref: 0046D24A
                                                                                    • __vbaVarDup.MSVBVM60 ref: 0046D27C
                                                                                    • #711.MSVBVM60(?,?,?,000000FF,00000000), ref: 0046D295
                                                                                    • __vbaAryVar.MSVBVM60(00002008,?), ref: 0046D2A7
                                                                                    • __vbaAryCopy.MSVBVM60(?,?), ref: 0046D2BE
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0046D2D1
                                                                                    • __vbaUbound.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,00403446), ref: 0046D2E7
                                                                                    • __vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,00403446), ref: 0046D2EF
                                                                                    Strings
                                                                                    • ||||||||234|||, xrefs: 0046D25F
                                                                                    • ||||||||123|||, xrefs: 0046D3C6
                                                                                    • Automatically Switch Between Applications At Certain Times Software, xrefs: 0046D21F
                                                                                    • Sobolsoft, xrefs: 0046D224
                                                                                    • Queued Windows, xrefs: 0046D21A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$ChkstkList$#689#711CallCastCheckCopyErrorHresultLateMoveUbound
                                                                                    • String ID: Automatically Switch Between Applications At Certain Times Software$Queued Windows$Sobolsoft$||||||||123|||$||||||||234|||
                                                                                    • API String ID: 1996297070-3204929264
                                                                                    • Opcode ID: 8be5811fc5fe4941b53d770980c1595de48268ead03d78ae7091d0896b6168a0
                                                                                    • Instruction ID: 4edb923977e2ba3fd2ff234a9d77cf4e8d9bc3fb4f9484f7aa72b52819a17911
                                                                                    • Opcode Fuzzy Hash: 8be5811fc5fe4941b53d770980c1595de48268ead03d78ae7091d0896b6168a0
                                                                                    • Instruction Fuzzy Hash: BD4216B4E00218DFDB24DF94DE88BDEB7B5FB48304F108199E60AAB290D7745A85CF65
                                                                                    Function 0047E0E0 Relevance: 105.5, APIs: 57, Strings: 3, Instructions: 486COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1626 47e0e0-47e139 1627 47e14b-47e15f 1626->1627 1628 47e13b-47e145 __vbaNew2 1626->1628 1630 47e174 1627->1630 1631 47e161-47e172 __vbaHresultCheckObj 1627->1631 1628->1627 1632 47e17a-47e18d 1630->1632 1631->1632 1634 47e18f-47e198 __vbaHresultCheckObj 1632->1634 1635 47e19a-47e207 __vbaStrCat #645 __vbaStrMove __vbaStrCmp __vbaFreeStrList __vbaFreeObj __vbaFreeVar 1632->1635 1634->1635 1636 47e697-47e6ea __vbaFreeObjList __vbaFreeObj 1635->1636 1637 47e20d-47e213 1635->1637 1638 47e225-47e23a 1637->1638 1639 47e215-47e21f __vbaNew2 1637->1639 1642 47e247-47e24d 1638->1642 1643 47e23c-47e245 __vbaHresultCheckObj 1638->1643 1639->1638 1644 47e25f-47e276 1642->1644 1645 47e24f-47e259 __vbaNew2 1642->1645 1643->1642 1647 47e286-47e2b4 __vbaObjSet __vbaCheckType 1644->1647 1648 47e278-47e284 __vbaHresultCheckObj 1644->1648 1645->1644 1649 47e2ba-47e2bc 1647->1649 1648->1647 1650 47e2c2-47e31b __vbaCheckType * 4 1649->1650 1651 47e369-47e370 1649->1651 1652 47e31d-47e346 __vbaLateMemSt 1650->1652 1653 47e348-47e364 __vbaNextEachCollObj 1650->1653 1654 47e382-47e396 1651->1654 1655 47e372-47e37c __vbaNew2 1651->1655 1652->1653 1653->1649 1657 47e3a3-47e3b6 1654->1657 1658 47e398-47e3a1 __vbaHresultCheckObj 1654->1658 1655->1654 1660 47e3c3-47e3e9 __vbaStrCat 1657->1660 1661 47e3b8-47e3c1 __vbaHresultCheckObj 1657->1661 1658->1657 1662 47e400-47e484 __vbaObjSet __vbaLateIdCall __vbaFreeStr __vbaFreeObjList __vbaFreeVar 1660->1662 1663 47e3eb-47e3fb __vbaNew2 1660->1663 1661->1660 1665 47e486-47e496 __vbaNew2 1662->1665 1666 47e49b-47e4d5 __vbaObjSet __vbaLateIdCallLd __vbaI4Var 1662->1666 1663->1662 1665->1666 1668 47e4d7-47e4e7 __vbaNew2 1666->1668 1669 47e4ec-47e548 __vbaObjSet __vbaLateIdSt __vbaFreeObjList __vbaFreeVar 1666->1669 1668->1669 1671 47e55f-47e5a6 __vbaObjSet __vbaLateIdSt __vbaFreeObj 1669->1671 1672 47e54a-47e55a __vbaNew2 1669->1672 1674 47e5bd-47e5fc __vbaObjSet __vbaLateIdSt __vbaFreeObj 1671->1674 1675 47e5a8-47e5b8 __vbaNew2 1671->1675 1672->1671 1677 47e60e-47e622 1674->1677 1678 47e5fe-47e608 __vbaNew2 1674->1678 1675->1674 1680 47e624-47e62d __vbaHresultCheckObj 1677->1680 1681 47e633-47e642 1677->1681 1678->1677 1680->1681 1682 47e644-47e654 __vbaNew2 1681->1682 1683 47e659-47e691 __vbaObjSet __vbaLateIdCall __vbaFreeObj 1681->1683 1682->1683 1683->1636
                                                                                    APIs
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047E145
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014), ref: 0047E170
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047E198
                                                                                    • __vbaStrCat.MSVBVM60(\x\o.cjs,?), ref: 0047E1A3
                                                                                    • #645.MSVBVM60(?,00000000), ref: 0047E1B8
                                                                                    • __vbaStrMove.MSVBVM60 ref: 0047E1C3
                                                                                    • __vbaStrCmp.MSVBVM60(0040C118,00000000), ref: 0047E1CF
                                                                                    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0047E1E9
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047E1F5
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047E1FE
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E21F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00606340,0040A2CC,00000064), ref: 0047E245
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E259
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00606340,0040A2CC,00000218), ref: 0047E284
                                                                                    • __vbaObjSet.MSVBVM60(?,?), ref: 0047E291
                                                                                    • __vbaCheckType.MSVBVM60(0040D774,?,?,00000000), ref: 0047E2A8
                                                                                    • __vbaCheckType.MSVBVM60(?,0040B088), ref: 0047E2CB
                                                                                    • __vbaCheckType.MSVBVM60(?,0040AFE4), ref: 0047E2DF
                                                                                    • __vbaCheckType.MSVBVM60(?,0040B7A0), ref: 0047E2F8
                                                                                    • __vbaCheckType.MSVBVM60(?,0040D784), ref: 0047E311
                                                                                    • __vbaLateMemSt.MSVBVM60(?,BackColor), ref: 0047E346
                                                                                    • __vbaNextEachCollObj.MSVBVM60(0040D774,?,?), ref: 0047E358
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8), ref: 0047E37C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014), ref: 0047E3A1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000050), ref: 0047E3C1
                                                                                    • __vbaStrCat.MSVBVM60(\x\o.cjs,?), ref: 0047E3CC
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E3F5
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047E44A
                                                                                    • __vbaLateIdCall.MSVBVM60(00000000), ref: 0047E44D
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0047E459
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047E46F
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047E477
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E490
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047E4AD
                                                                                    • __vbaLateIdCallLd.MSVBVM60(00000008,00000000), ref: 0047E4B4
                                                                                    • __vbaI4Var.MSVBVM60(00000000), ref: 0047E4BE
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E4E1
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047E512
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047E51F
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0047E52B
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 0047E533
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E554
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047E585
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047E58C
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047E591
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E5B2
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047E5E3
                                                                                    • __vbaLateIdSt.MSVBVM60(00000000), ref: 0047E5EA
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047E5EF
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E608
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00606340,0040A2CC,00000058), ref: 0047E62D
                                                                                    • __vbaNew2.MSVBVM60(00407F58,@c`), ref: 0047E64E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0047E67E
                                                                                    • __vbaLateIdCall.MSVBVM60(00000000), ref: 0047E685
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047E691
                                                                                    • __vbaFreeObjList.MSVBVM60(00000002,?,?,0047E6EB), ref: 0047E6D8
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047E6E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$Check$New2$HresultLate$Type$List$Call$#645CollEachMoveNext
                                                                                    • String ID: @c`$BackColor$\x\o.cjs
                                                                                    • API String ID: 3748492047-1798170870
                                                                                    • Opcode ID: 1974a3c6dd4b5afd790bcd83b3ff25d5c63b51ef65424979227dd98dde52a4ba
                                                                                    • Instruction ID: 800e9c67d4532f08b7ebd2c4fe1f9c28bac9b03fe7502a9f1d4855c0c0269284
                                                                                    • Opcode Fuzzy Hash: 1974a3c6dd4b5afd790bcd83b3ff25d5c63b51ef65424979227dd98dde52a4ba
                                                                                    • Instruction Fuzzy Hash: E3027075A00205AFDB00DFA5DD89EAEBBB8FB48700F208569F509F72A0D7749945CB98
                                                                                    Function 032C3010 Relevance: 89.6, APIs: 1, Strings: 50, Instructions: 319COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1685 32c3010-32c301b 1686 32c3021-32c302c 1685->1686 1687 32c34e2-32c34e3 1685->1687 1688 32c302e-32c3030 1686->1688 1689 32c3058-32c313d call 32c29b0 * 9 call 32c16f0 1686->1689 1690 32c3032-32c3054 GetModuleHandleA 1688->1690 1712 32c32db-32c32e4 call 32c16f0 1689->1712 1713 32c3143-32c32d6 call 32c29b0 * 17 1689->1713 1690->1690 1692 32c3056-32c3057 1690->1692 1692->1689 1719 32c335e-32c3366 call 32c16f0 1712->1719 1720 32c32e6-32c3359 call 32c29b0 * 5 1712->1720 1713->1712 1727 32c3368-32c33ab call 32c29b0 * 3 1719->1727 1728 32c33b0-32c33b9 call 32c16f0 1719->1728 1720->1719 1727->1728 1741 32c33eb-32c34d6 call 32c29b0 * 10 1728->1741 1742 32c33bb-32c33e6 call 32c29b0 * 2 1728->1742 1790 32c34db-32c34e1 1741->1790 1742->1741 1790->1687
                                                                                    APIs
                                                                                    • GetModuleHandleA.KERNEL32(?,00000000,?,?,00000000,032C1423,?,?,00000000,00000000,?,?,032A498F,00000000,00000000), ref: 032C3040
                                                                                      • Part of subcall function 032C29B0: GetModuleHandleA.KERNEL32(?,?), ref: 032C2A26
                                                                                      • Part of subcall function 032C29B0: LoadLibraryA.KERNEL32(?,00000000), ref: 032C2A37
                                                                                      • Part of subcall function 032C29B0: GetModuleHandleA.KERNEL32(?,?), ref: 032C2A43
                                                                                      • Part of subcall function 032C16F0: #823.MFC42(00000080,?,?,032F8D4B,000000FF,032BF0EB), ref: 032C1714
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$#823LibraryLoad
                                                                                    • String ID: AdjustWindowRectEx$CallWindowProcA$CallWindowProcW$CloseThemeData$CreateThread$DefDlgProcA$DefDlgProcW$DefFrameProcA$DefFrameProcW$DefMDIChildProcA$DefMDIChildProcW$DefWindowProcA$DefWindowProcW$DeleteObject$DrawEdge$DrawFrameControl$DrawMenuBar$DrawThemeBackground$EnableScrollBar$FillRect$GDI32.DLL$GetCurrentThemeName$GetModuleHandleA$GetProcAddress$GetScrollInfo$GetSysColor$GetSysColorBrush$GetSystemMetrics$GetThemeColor$GetThemeInt$GetThemePartSize$GetThemeSysBool$GetThemeSysColor$IsAppThemed$IsThemeActive$KERNEL32.DLL$LoadLibraryA$LoadLibraryExA$LoadLibraryExW$LoadLibraryW$OpenThemeData$RegisterClassA$RegisterClassW$SetScrollInfo$SetScrollPos$SystemParametersInfoA$TrackPopupMenu$TrackPopupMenuEx$USER32.DLL$UXTHEME.DLL
                                                                                    • API String ID: 1648342375-1042928411
                                                                                    • Opcode ID: 282473ed443f014ef6ebf7f2bd0c7c438858cd5268bd6813e47fe8da9bce02da
                                                                                    • Instruction ID: 704ae7b9398df45c5f5596e47e79365d6966f43e7e4319d163758020b80edb0e
                                                                                    • Opcode Fuzzy Hash: 282473ed443f014ef6ebf7f2bd0c7c438858cd5268bd6813e47fe8da9bce02da
                                                                                    • Instruction Fuzzy Hash: 00919B393F4794BED83AE2611CB7F5E91020B51E04F244A0CFA717A9D7CED93682928D
                                                                                    Function 00482D20 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 215COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00482D81
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E304,0000001C), ref: 00482DD1
                                                                                    • __vbaBoolVar.MSVBVM60(?), ref: 00482DDF
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,(3@,0040E218,000007B4), ref: 00482E05
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00482E0A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,(3@,0040E1E8,00000150), ref: 00482E2F
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E304,0000001C,?,?,?,?), ref: 00482E7F
                                                                                    • __vbaCastObjVar.MSVBVM60(?,0040D560,?,?,?,?), ref: 00482E8E
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 00482E99
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,(3@,0040E218,000007A4,?,?,?,?), ref: 00482EBC
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00482EC5
                                                                                    • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00482ED5
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E304,0000001C,?,?,?,?,?,?,?,?,?,?,?), ref: 00482F25
                                                                                    • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00482F2F
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00482F3A
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,(3@,0040E218,000007AC,?,?,?,?,?,?,?,?,?,?,?), ref: 00482F5D
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00482F66
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?), ref: 00482F6F
                                                                                    • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00482F7A
                                                                                    • __vbaFreeObj.MSVBVM60(00482FC1,?,?,?,?,?,?,?,?,?,?,?), ref: 00482FBA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$Free$AddrefMove$BoolCastList
                                                                                    • String ID: (3@$InTray$Telnet Server$TrayIcon$TrayTip
                                                                                    • API String ID: 2423865005-2297761629
                                                                                    • Opcode ID: ab69313bd6158c8b820436ad59ea075b6bd3fccdef1ae019ceafaa72b50c1b04
                                                                                    • Instruction ID: e4df779a07ebf541be2fe43122fb10fa927fce82133e89206e72f87bd51bdcf1
                                                                                    • Opcode Fuzzy Hash: ab69313bd6158c8b820436ad59ea075b6bd3fccdef1ae019ceafaa72b50c1b04
                                                                                    • Instruction Fuzzy Hash: BD813C70E00209EFCB04DF94DD89DAEBBB9FF58700B20846AF509AB295D7749945CF94
                                                                                    Function 032C6160 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 193libraryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1821 32c6160-32c61a6 #860 * 2 1823 32c61ac-32c61b3 1821->1823 1824 32c62a8-32c62b6 1821->1824 1825 32c6358-32c635a 1823->1825 1826 32c61b9-32c61eb #923 #922 #800 1823->1826 1827 32c62b9-32c62be 1824->1827 1828 32c63a2-32c63b4 1825->1828 1829 32c627b-32c6287 LoadLibraryA 1826->1829 1830 32c61f1-32c61ff GetFileAttributesA 1826->1830 1827->1825 1831 32c62c4-32c62cb 1827->1831 1832 32c6289-32c6293 LoadLibraryExA 1829->1832 1833 32c6296-32c62a6 #800 1829->1833 1830->1829 1834 32c6201-32c6203 1830->1834 1835 32c62cd-32c62f1 call 32c6010 #858 #800 1831->1835 1836 32c62f6-32c633a #535 #6876 * 2 FindResourceA 1831->1836 1832->1833 1833->1827 1834->1829 1840 32c6205-32c621a #823 1834->1840 1835->1836 1838 32c633c-32c6349 LoadResource 1836->1838 1839 32c634b-32c6353 #800 1836->1839 1838->1839 1842 32c635c-32c637d LockResource SizeofResource 1838->1842 1839->1825 1843 32c621c-32c6223 #533 1840->1843 1844 32c6225 1840->1844 1846 32c638c-32c6394 1842->1846 1847 32c637f-32c6384 1842->1847 1845 32c6227-32c623f 1843->1845 1844->1845 1851 32c626a-32c6276 1845->1851 1852 32c6241-32c6246 1845->1852 1849 32c6398-32c639d #800 1846->1849 1847->1846 1848 32c6386-32c6389 1847->1848 1848->1846 1849->1828 1851->1849 1853 32c6248-32c624f 1852->1853 1854 32c6252-32c6265 #800 1852->1854 1853->1854 1854->1828
                                                                                    APIs
                                                                                    • #860.MFC42(?,?,?,?,00000000), ref: 032C618D
                                                                                    • #860.MFC42(?,?,?,?,?,00000000), ref: 032C619C
                                                                                    • #923.MFC42(?,?,0000005C,?,?,?,?,?,00000000), ref: 032C61C1
                                                                                    • #922.MFC42(?,00000000,?,?,?,0000005C,?,?,?,?,?,00000000), ref: 032C61D3
                                                                                    • #800.MFC42(?,00000000,?,?), ref: 032C61E1
                                                                                    • GetFileAttributesA.KERNEL32(?,?,00000000,?,?), ref: 032C61F6
                                                                                    • #823.MFC42(00000014), ref: 032C6207
                                                                                    • #533.MFC42 ref: 032C621E
                                                                                    • #800.MFC42 ref: 032C625E
                                                                                    • LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 032C627C
                                                                                    • LoadLibraryExA.KERNEL32(?,00000000,00000002), ref: 032C628D
                                                                                    • #800.MFC42 ref: 032C62A1
                                                                                    • #858.MFC42(00000000), ref: 032C62E4
                                                                                    • #800.MFC42(00000000), ref: 032C62F1
                                                                                    • #535.MFC42(?,?,?,?,?,?,00000000), ref: 032C62FB
                                                                                    • #6876.MFC42(0000002E,0000005F,?), ref: 032C6310
                                                                                    • #6876.MFC42(0000005C,0000005F), ref: 032C631D
                                                                                    • FindResourceA.KERNEL32(?,?,TEXTFILE), ref: 032C6330
                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 032C6341
                                                                                    • #800.MFC42 ref: 032C6353
                                                                                    • LockResource.KERNEL32(00000000), ref: 032C635D
                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 032C636D
                                                                                    • #800.MFC42 ref: 032C6398
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #800$Resource$Load$#6876#860Library$#533#535#823#858#922#923AttributesFileFindLockSizeof
                                                                                    • String ID: TEXTFILE
                                                                                    • API String ID: 277019682-343777186
                                                                                    • Opcode ID: 68e30621e0d5187133b7ff7f8c893bd0a679306e65d508beb45f9bc755a51e32
                                                                                    • Instruction ID: d291a494f105929eb0d056b0cebcc88767b9641e2fe2eba118369633963127c3
                                                                                    • Opcode Fuzzy Hash: 68e30621e0d5187133b7ff7f8c893bd0a679306e65d508beb45f9bc755a51e32
                                                                                    • Instruction Fuzzy Hash: E16180742247819FD310EF65C884A2BF7E4BF89725F180B2CF59A97690DB74E984CB12
                                                                                    Function 00483860 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 183COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1894 483860-4838b3 1896 4838b9-4838bc 1894->1896 1897 483a87-483ab2 1894->1897 1898 483a0b-483a0f 1896->1898 1899 4838c2-4838d3 1896->1899 1901 483a3c-483a73 1898->1901 1902 483a11-483a38 call 40b8f4 __vbaSetSystemError 1898->1902 1905 4838d5-4838e1 __vbaHresultCheckObj 1899->1905 1906 4838e7-4838fa 1899->1906 1901->1897 1909 483a75-483a81 __vbaHresultCheckObj 1901->1909 1902->1901 1905->1906 1912 48390b-48391a __vbaFreeObj 1906->1912 1913 4838fc-483905 __vbaHresultCheckObj 1906->1913 1909->1897 1912->1901 1914 483920-48397e call 40b8f4 __vbaSetSystemError __vbaObjSetAddref #644 call 40b8f4 __vbaSetSystemError __vbaFreeObj 1912->1914 1913->1912 1920 483980-48398c __vbaHresultCheckObj 1914->1920 1921 483992-4839a1 1914->1921 1920->1921 1923 4839a3-4839af __vbaHresultCheckObj 1921->1923 1924 4839b5-4839ed __vbaObjSet __vbaStrMove call 483b50 1921->1924 1923->1924 1925 4839f3-483a09 __vbaFreeStr __vbaFreeObj 1924->1925 1925->1901
                                                                                    APIs
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00403398,0040E1E8,000002B0), ref: 004838E1
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040E314,0000003C), ref: 00483905
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 00483911
                                                                                    • __vbaSetSystemError.MSVBVM60(41A00000,000000FC,004844B0), ref: 00483935
                                                                                    • __vbaObjSetAddref.MSVBVM60(?,00403398), ref: 00483946
                                                                                    • #644.MSVBVM60(00000000), ref: 0048394D
                                                                                    • __vbaSetSystemError.MSVBVM60(?,000000EB,00000000), ref: 0048395E
                                                                                    • __vbaFreeObj.MSVBVM60(?,000000EB,00000000), ref: 0048396D
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00403398,0040E218,000007B0,?,000000EB,00000000), ref: 0048398C
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00403398,0040E218,000007A8,?,000000EB,00000000), ref: 004839AF
                                                                                    • __vbaObjSet.MSVBVM60(?,?,?,000000EB,00000000), ref: 004839C4
                                                                                    • __vbaStrMove.MSVBVM60(?,000000EB,00000000), ref: 004839D7
                                                                                    • __vbaFreeStr.MSVBVM60(?,000000EB,00000000), ref: 004839F6
                                                                                    • __vbaFreeObj.MSVBVM60(?,000000EB,00000000), ref: 004839FF
                                                                                    • __vbaSetSystemError.MSVBVM60(?,000000FC,6C966CE0), ref: 00483A32
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00403398,0040E1E8,00000390), ref: 00483A81
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$Free$ErrorSystem$#644AddrefMove
                                                                                    • String ID: InTray$qEH
                                                                                    • API String ID: 411966765-119485625
                                                                                    • Opcode ID: 9c415fcfe69c9abc0f571c85cc1e0c1c49d2c1ff86b651770e20c114cb2fdf41
                                                                                    • Instruction ID: 3dc73a8e87e56088f26dd508c03e766f7b223b99edfe8d9a7dec82ca2c3faa8e
                                                                                    • Opcode Fuzzy Hash: 9c415fcfe69c9abc0f571c85cc1e0c1c49d2c1ff86b651770e20c114cb2fdf41
                                                                                    • Instruction Fuzzy Hash: 96617070900245AFCB14EFA5C988DDEBBB8FF48705B10492EF545B36A0D778AA45CF68
                                                                                    Function 100EB217 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1946 100eb217-100eb221 1947 100eb2ba-100eb2be 1946->1947 1948 100eb227-100eb24e #1116 #1176 #1575 1946->1948 1949 100eb306-100eb30a 1947->1949 1950 100eb2c0-100eb2de #1243 #1176 #1168 1947->1950 1951 100eb26e-100eb273 #1577 1948->1951 1952 100eb250-100eb25a #1168 1948->1952 1956 100eb30c-100eb333 #6467 #1197 #1570 #1255 1949->1956 1957 100eb336-100eb338 1949->1957 1954 100eb2e7-100eb304 #1197 #1570 #1577 #1253 1950->1954 1955 100eb2e0-100eb2e2 1950->1955 1953 100eb2a3-100eb2b8 #1176 #1243 1951->1953 1958 100eb25c-100eb265 1952->1958 1959 100eb275-100eb290 #1182 #823 1952->1959 1960 100eb339-100eb33b 1953->1960 1954->1957 1955->1954 1956->1957 1957->1960 1958->1959 1964 100eb267-100eb269 1958->1964 1961 100eb29c 1959->1961 1962 100eb292-100eb297 #342 1959->1962 1961->1953 1962->1961 1964->1951
                                                                                    APIs
                                                                                    • #1116.MFC42(?,?,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB22E
                                                                                    • #1176.MFC42(?,?,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB233
                                                                                    • #1575.MFC42(?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?,?,?,?,?), ref: 100EB247
                                                                                    • #1168.MFC42(?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?,?,?,?,?), ref: 100EB250
                                                                                    • #1577.MFC42(?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?,?,?,?,?), ref: 100EB26E
                                                                                    • #1182.MFC42(10142488,?,?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?,?,?), ref: 100EB281
                                                                                    • #823.MFC42(00000040,10142488,?,?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?,?), ref: 100EB288
                                                                                    • #342.MFC42(10142488,00000000,10142488,?,?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?), ref: 100EB297
                                                                                    • #1176.MFC42(?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?,?,?,?,?), ref: 100EB2A6
                                                                                    • #1243.MFC42(?,?,00000000,1013FCB0,00000000,?,?,?,?,?,?,100EB6FD,?,?,?,?), ref: 100EB2AE
                                                                                    • #1243.MFC42(101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB2C5
                                                                                    • #1176.MFC42(101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB2CC
                                                                                    • #1168.MFC42(101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB2D4
                                                                                    • #1197.MFC42(101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB2E7
                                                                                    • #1570.MFC42(000000FF,101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB2EE
                                                                                    • #1577.MFC42(000000FF,101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB2F3
                                                                                    • #1253.MFC42(10142488,00000001,000000FF,101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB2FF
                                                                                    • #6467.MFC42(101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB314
                                                                                    • #1197.MFC42(101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB319
                                                                                    • #1570.MFC42(000000FF,101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB320
                                                                                    • #1255.MFC42(?,000000FF,101413F8,?,?,?,?,100EB6FD,?,?,?,?,?,?), ref: 100EB328
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #1176$#1168#1197#1243#1570#1577$#1116#1182#1253#1255#1575#342#6467#823
                                                                                    • String ID:
                                                                                    • API String ID: 2007088025-0
                                                                                    • Opcode ID: 46f4884943b5c8cae32a8217db9e5beab4bb5bc5c3c0cabbc8d9d7c4dcc0c0c0
                                                                                    • Instruction ID: fe161503c06d70968b0f2298d02d4b55c7f0a46291f14cd2809e4b0ef85de537
                                                                                    • Opcode Fuzzy Hash: 46f4884943b5c8cae32a8217db9e5beab4bb5bc5c3c0cabbc8d9d7c4dcc0c0c0
                                                                                    • Instruction Fuzzy Hash: 29318E38600A04AFCB14DFA3C946A5F77A9EF80360B618119F915BB262CF74ED41CA70
                                                                                    Function 032F5D57 Relevance: 31.6, APIs: 21, Instructions: 99COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1927 32f5d57-32f5d61 1928 32f5dfa-32f5dfe 1927->1928 1929 32f5d67-32f5d8e #1116 #1176 #1575 1927->1929 1930 32f5e46-32f5e4a 1928->1930 1931 32f5e00-32f5e1e #1243 #1176 #1168 1928->1931 1932 32f5dae-32f5db3 #1577 1929->1932 1933 32f5d90-32f5d9a #1168 1929->1933 1934 32f5e4c-32f5e73 #6467 #1197 #1570 #1255 1930->1934 1935 32f5e76-32f5e78 1930->1935 1939 32f5e27-32f5e44 #1197 #1570 #1577 #1253 1931->1939 1940 32f5e20-32f5e22 1931->1940 1938 32f5de3-32f5df8 #1176 #1243 1932->1938 1936 32f5d9c-32f5da5 1933->1936 1937 32f5db5-32f5dd0 #1182 #823 1933->1937 1934->1935 1941 32f5e79-32f5e7b 1935->1941 1936->1937 1945 32f5da7-32f5da9 1936->1945 1942 32f5ddc 1937->1942 1943 32f5dd2-32f5dd7 #342 1937->1943 1938->1941 1939->1935 1940->1939 1942->1938 1943->1942 1945->1932
                                                                                    APIs
                                                                                    • #1116.MFC42(?,?,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5D6E
                                                                                    • #1176.MFC42(?,?,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5D73
                                                                                    • #1575.MFC42(?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?,?,?,?,?), ref: 032F5D87
                                                                                    • #1168.MFC42(?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?,?,?,?,?), ref: 032F5D90
                                                                                    • #1577.MFC42(?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?,?,?,?,?), ref: 032F5DAE
                                                                                    • #1182.MFC42(03315AE0,?,?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?,?,?), ref: 032F5DC1
                                                                                    • #823.MFC42(00000040,03315AE0,?,?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?,?), ref: 032F5DC8
                                                                                    • #342.MFC42(03315AE0,00000000,03315AE0,?,?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?), ref: 032F5DD7
                                                                                    • #1176.MFC42(?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?,?,?,?,?), ref: 032F5DE6
                                                                                    • #1243.MFC42(?,?,00000000,03313F08,00000000,?,?,?,?,?,?,032F6237,?,?,?,?), ref: 032F5DEE
                                                                                    • #1243.MFC42(03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E05
                                                                                    • #1176.MFC42(03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E0C
                                                                                    • #1168.MFC42(03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E14
                                                                                    • #1197.MFC42(03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E27
                                                                                    • #1570.MFC42(000000FF,03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E2E
                                                                                    • #1577.MFC42(000000FF,03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E33
                                                                                    • #1253.MFC42(03315AE0,00000001,000000FF,03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E3F
                                                                                    • #6467.MFC42(03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E54
                                                                                    • #1197.MFC42(03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E59
                                                                                    • #1570.MFC42(000000FF,03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E60
                                                                                    • #1255.MFC42(?,000000FF,03314A50,?,?,?,?,032F6237,?,?,?,?,?,?), ref: 032F5E68
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #1176$#1168#1197#1243#1570#1577$#1116#1182#1253#1255#1575#342#6467#823
                                                                                    • String ID:
                                                                                    • API String ID: 2007088025-0
                                                                                    • Opcode ID: d0f8761b557fa9b68eebc0db28e3cdfc71a40ed2cd552b7f689f0349d6d93e30
                                                                                    • Instruction ID: 55e5a679ba1696d4bbc438239fb2699bef1f2b20af2da9084e49df05bcfdcbd4
                                                                                    • Opcode Fuzzy Hash: d0f8761b557fa9b68eebc0db28e3cdfc71a40ed2cd552b7f689f0349d6d93e30
                                                                                    • Instruction Fuzzy Hash: 29318138620305AFDB10FF61C884A6EF7A5EF42A24B248138F7265F261DBB0D8C08B51
                                                                                    Function 00483B50 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 110windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaObjIs.MSVBVM60(0000007A,00000000), ref: 00483BC3
                                                                                    • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00483BDA
                                                                                    • __vbaI4Var.MSVBVM60(00000000), ref: 00483BE4
                                                                                    • __vbaFreeVar.MSVBVM60 ref: 00483BF6
                                                                                    • __vbaObjSetAddref.MSVBVM60(?), ref: 00483C15
                                                                                    • __vbaStrCmp.MSVBVM60(0040C118,00000000), ref: 00483C26
                                                                                    • __vbaStrCat.MSVBVM60(00409EE8), ref: 00483C38
                                                                                    • __vbaStrMove.MSVBVM60 ref: 00483C46
                                                                                    • __vbaLsetFixstr.MSVBVM60(00000080,?,00000000), ref: 00483C59
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 00483C65
                                                                                    • __vbaStrCopy.MSVBVM60 ref: 00483C81
                                                                                    • __vbaRecUniToAnsi.MSVBVM60(0040B850,?,?), ref: 00483CBC
                                                                                    • Shell_NotifyIcon.SHELL32(00000000,00000000), ref: 00483CC9
                                                                                    • __vbaRecAnsiToUni.MSVBVM60(0040B850,000001E8,?), ref: 00483CE2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$AnsiFree$AddrefCallCopyFixstrIconLateLsetMoveNotifyShell_
                                                                                    • String ID: F4@
                                                                                    • API String ID: 3307226688-1184930311
                                                                                    • Opcode ID: 3bff7211b797942f6330a9b05ce664bcaf977400d98b0e0244e2e196a9e0f9f8
                                                                                    • Instruction ID: abb091f64739f953e65f716a154888a335f3458eefed3f08c6a040bcb9450771
                                                                                    • Opcode Fuzzy Hash: 3bff7211b797942f6330a9b05ce664bcaf977400d98b0e0244e2e196a9e0f9f8
                                                                                    • Instruction Fuzzy Hash: 74413970900258AFDB25DF54CD88AAABBBCFB48705F0044A9FA49B72A0D7346B84CF55
                                                                                    Function 032C0ED0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 129libraryloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1973 32c0ed0-32c0f5a call 32bd510 #823 1976 32c0f5c-32c0f64 call 32c5e60 1973->1976 1977 32c0f66 1973->1977 1979 32c0f68-32c0f84 #823 1976->1979 1977->1979 1980 32c0f8f 1979->1980 1981 32c0f86-32c0f8d call 32c0290 1979->1981 1984 32c0f91-32c0fa4 call 32d1c70 1980->1984 1981->1984 1988 32c0fa6-32c0faf #825 1984->1988 1989 32c0fb2-32c100b call 32bcd90 call 32bced0 call 32bcd90 call 32bce00 call 32c27b0 GetModuleHandleA 1984->1989 1988->1989 2000 32c100d-32c1030 GetProcAddress * 2 1989->2000 2001 32c1055-32c1057 call 32c10a0 1989->2001 2000->2001 2002 32c1032-32c1034 2000->2002 2005 32c105c-32c1077 #1168 2001->2005 2002->2001 2004 32c1036-32c1052 GetCurrentProcessId SetWinEventHook 2002->2004 2004->2001
                                                                                    APIs
                                                                                      • Part of subcall function 032BD510: InitializeCriticalSection.KERNEL32(00000044,00000000,032C0F20,?,00000000), ref: 032BD514
                                                                                    • #823.MFC42(00000040,?,00000000), ref: 032C0F47
                                                                                    • #823.MFC42(0000001C), ref: 032C0F71
                                                                                    • #825.MFC42(?), ref: 032C0FA7
                                                                                    • GetModuleHandleA.KERNEL32(USER32), ref: 032C1001
                                                                                    • GetProcAddress.KERNEL32(00000000,SetWinEventHook), ref: 032C101A
                                                                                    • GetProcAddress.KERNEL32(00000000,UnhookWinEvent), ref: 032C1025
                                                                                    • GetCurrentProcessId.KERNEL32(00000000,00000000), ref: 032C1038
                                                                                    • SetWinEventHook.USER32(00008004,00008004,00000000,032D1130,00000000), ref: 032C104F
                                                                                    • #1168.MFC42 ref: 032C105C
                                                                                      • Part of subcall function 032C5E60: #290.MFC42(00000000,00000000,00000000,00000000,032F905E,000000FF,032C0F64,00000000), ref: 032C5E7E
                                                                                      • Part of subcall function 032C5E60: #540.MFC42(00000000,00000000,00000000,00000000,032F905E,000000FF,032C0F64,00000000), ref: 032C5E8C
                                                                                      • Part of subcall function 032C5E60: #540.MFC42(00000000,00000000,00000000,00000000,032F905E,000000FF,032C0F64,00000000), ref: 032C5E99
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #540#823AddressProc$#1168#290#825CriticalCurrentEventHandleHookInitializeModuleProcessSection
                                                                                    • String ID: SetWinEventHook$USER32$UnhookWinEvent
                                                                                    • API String ID: 2601376831-3138813856
                                                                                    • Opcode ID: 1124c7a2def36a630f41d5d000ca4a6649e6f911b6e8d6afabcd59c48d00cf1c
                                                                                    • Instruction ID: 3b306c336e2b41446a146f3bf7d5981103b3f66d9aaaad3f19d81ec346c8fac3
                                                                                    • Opcode Fuzzy Hash: 1124c7a2def36a630f41d5d000ca4a6649e6f911b6e8d6afabcd59c48d00cf1c
                                                                                    • Instruction Fuzzy Hash: 54412AB4920B808FD321EF6A844461BFBE8BF94B00F544E2ED59687A51D7B4E084CF55
                                                                                    Function 0047DCD0 Relevance: 21.1, APIs: 14, Instructions: 90COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • __vbaChkstk.MSVBVM60(00000000,00403446,?,?,?,?,?,00403446), ref: 0047DCEE
                                                                                    • __vbaStrCopy.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD1B
                                                                                    • __vbaOnError.MSVBVM60(000000FF,?,?,?,00000000,00403446), ref: 0047DD2A
                                                                                    • #577.MSVBVM60(?,?,?,?,?,00000000,00403446), ref: 0047DD3F
                                                                                    • __vbaStrVarMove.MSVBVM60(?,?,?,?,00000000,00403446), ref: 0047DD49
                                                                                    • __vbaStrMove.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD54
                                                                                    • __vbaFreeVar.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD5D
                                                                                    • #685.MSVBVM60(?,?,?,00000000,00403446), ref: 0047DD6A
                                                                                    • __vbaObjSet.MSVBVM60(00000000,00000000,?,?,?,00000000,00403446), ref: 0047DD75
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040B124,0000001C), ref: 0047DDA8
                                                                                    • __vbaFreeObj.MSVBVM60 ref: 0047DDCC
                                                                                    • __vbaOnError.MSVBVM60(00000000), ref: 0047DDFF
                                                                                    • __vbaFreeStr.MSVBVM60(0047DE32), ref: 0047DE22
                                                                                    • __vbaFreeStr.MSVBVM60 ref: 0047DE2B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$ErrorMove$#577#685CheckChkstkCopyHresult
                                                                                    • String ID:
                                                                                    • API String ID: 2895999492-0
                                                                                    • Opcode ID: db435e0c540892e2302a7bb175ef15182f26c08d5a7478a2b4dc460a84a882ef
                                                                                    • Instruction ID: 1e96894636f45b015d9b90576161228b5923cdd973847558ecfcb444a92b236b
                                                                                    • Opcode Fuzzy Hash: db435e0c540892e2302a7bb175ef15182f26c08d5a7478a2b4dc460a84a882ef
                                                                                    • Instruction Fuzzy Hash: EB411775D00248DFDB00DFA4DA48BDEBBB4FF08705F20816AE106B72A0DB785A49CB59
                                                                                    Function 032F49D0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 327COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2015 32f49d0-32f4a06 2016 32f4a1d-32f4a3a call 32e4520 2015->2016 2017 32f4a08-32f4a1c 2015->2017 2021 32f4a4f-32f4a68 call 32e5370 2016->2021 2022 32f4a3c-32f4a4e 2016->2022 2025 32f4a7f-32f4a8d call 32e4620 2021->2025 2026 32f4a6a-32f4a7e 2021->2026 2029 32f4a8f-32f4ab1 call 32e6170 2025->2029 2030 32f4ab2-32f4b11 #268 call 32e6520 call 32e4460 call 32e55d0 call 32e4fa0 2025->2030 2041 32f4b1f-32f4b23 2030->2041 2042 32f4b13-32f4b1c call 32e6630 2030->2042 2044 32f4b25-32f4b2e call 32e6690 2041->2044 2045 32f4b31-32f4b35 2041->2045 2042->2041 2044->2045 2046 32f4b37-32f4b40 call 32e6690 2045->2046 2047 32f4b43-32f4b57 call 32e4ee0 2045->2047 2046->2047 2055 32f4b59-32f4b62 call 32e6690 2047->2055 2056 32f4b65-32f4b6a 2047->2056 2055->2056 2058 32f4b6c-32f4b6f 2056->2058 2059 32f4b71-32f4b7a call 32e66a0 2056->2059 2058->2059 2061 32f4b7d-32f4b93 call 32e4f40 2058->2061 2059->2061 2066 32f4bc8-32f4bde call 32e4f70 2061->2066 2067 32f4b95-32f4bc5 call 32e6580 2061->2067 2072 32f4bfe-32f4c56 call 32e5970 call 32e4fa0 call 32e4f00 call 32e4f20 2066->2072 2073 32f4be0-32f4bfb call 32e6640 2066->2073 2067->2066 2084 32f4c58-32f4c5f free 2072->2084 2085 32f4c62-32f4c77 malloc 2072->2085 2073->2072 2084->2085 2086 32f4c79-32f4c7e #1262 2085->2086 2087 32f4c83-32f4c97 malloc 2085->2087 2086->2087 2088 32f4c99-32f4c9e #1262 2087->2088 2089 32f4ca3-32f4ca7 2087->2089 2088->2089 2090 32f4ca9-32f4cab 2089->2090 2091 32f4cad-32f4cb8 2090->2091 2092 32f4d00-32f4d52 call 32e5e60 call 32e5ec0 free #1567 call 32e6170 2090->2092 2091->2090
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: 1.2.10
                                                                                    • API String ID: 0-2288027664
                                                                                    • Opcode ID: e773cdd040b4c383c88f745103c3a903521e99042b527729f4f9ac3771506c7e
                                                                                    • Instruction ID: 7aa16bdd742645c3ea27b2f498284944ac471623f81724eb60fe6d75739f875e
                                                                                    • Opcode Fuzzy Hash: e773cdd040b4c383c88f745103c3a903521e99042b527729f4f9ac3771506c7e
                                                                                    • Instruction Fuzzy Hash: BCB1D7B6E10209AFDF10EF95DC82EBFB7B9EF85610F144169E904AB340D675AD40CBA1
                                                                                    Function 032AE150 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 141COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2099 32ae150-32ae15d 2100 32ae169-32ae184 2099->2100 2101 32ae15f-32ae168 2099->2101 2102 32ae189-32ae1a0 GetDIBits 2100->2102 2103 32ae186 2100->2103 2104 32ae1aa-32ae1b0 2102->2104 2105 32ae1a2-32ae1a9 2102->2105 2103->2102 2106 32ae1bc-32ae1e2 malloc 2104->2106 2107 32ae1b2-32ae1bb 2104->2107 2108 32ae1ec-32ae1fc malloc 2106->2108 2109 32ae1e4-32ae1eb 2106->2109 2110 32ae21e-32ae231 2108->2110 2111 32ae1fe-32ae202 2108->2111 2114 32ae233 2110->2114 2115 32ae236-32ae254 GetDIBits 2110->2115 2112 32ae214-32ae21d 2111->2112 2113 32ae204-32ae20e free 2111->2113 2113->2112 2114->2115 2116 32ae28c-32ae298 2115->2116 2117 32ae256-32ae260 2115->2117 2118 32ae26e-32ae273 2117->2118 2119 32ae262-32ae268 free 2117->2119 2120 32ae282-32ae28b 2118->2120 2121 32ae275-32ae27b free 2118->2121 2119->2118 2121->2120
                                                                                    APIs
                                                                                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 032AE198
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: Bits
                                                                                    • String ID: $(
                                                                                    • API String ID: 3573556081-55695022
                                                                                    • Opcode ID: e701ef5492dda088ff297d24eab26c97e184852b2142116cf681d393ae777c2d
                                                                                    • Instruction ID: b4d163fae46b1f7ec26690e850d612e640c088a2995bdece4643280debecc02b
                                                                                    • Opcode Fuzzy Hash: e701ef5492dda088ff297d24eab26c97e184852b2142116cf681d393ae777c2d
                                                                                    • Instruction Fuzzy Hash: 074194727143115BEB10CE69EC84B67B7E8EB84320F584479F904C7240E775EA4A8792
                                                                                    Function 004748B0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 60COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 2122 4748b0-47491f __vbaObjSet 2126 474933-474966 #690 __vbaFreeStr __vbaFreeObj 2122->2126 2127 474921-47492d __vbaHresultCheckObj 2122->2127 2128 47497b 2126->2128 2127->2126
                                                                                    APIs
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00403446), ref: 00474906
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BEC8,000000A0,?,?,?,?,?,?,?,?,00403446), ref: 0047492D
                                                                                    • #690.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Text2,?,?,?,?,?,?,?,?,?,00403446), ref: 00474946
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00403446), ref: 0047494F
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00403446), ref: 00474958
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$#690CheckHresult
                                                                                    • String ID: $@$Automatically Switch Between Applications At Certain Times Software$Sobolsoft$Text2
                                                                                    • API String ID: 488416567-2645191380
                                                                                    • Opcode ID: 5694929f8fb833e3094f524f40f4df0d40f76d0b801cb0a5ac8a227138713440
                                                                                    • Instruction ID: 6fa7f17961cf6572cf25dab86bef7b044cf2f3a6496720ea48168a03688e728e
                                                                                    • Opcode Fuzzy Hash: 5694929f8fb833e3094f524f40f4df0d40f76d0b801cb0a5ac8a227138713440
                                                                                    • Instruction Fuzzy Hash: E7115CB1900209EBC7009FA4CD49AEFBFB8EF84705F20816AF945B3290C7785945CBD4
                                                                                    Function 00474470 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00403446), ref: 004744C6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040BEC8,000000A0,?,?,?,?,?,?,?,?,00403446), ref: 004744ED
                                                                                    • #690.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Text1,?,?,?,?,?,?,?,?,?,00403446), ref: 00474506
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00403446), ref: 0047450F
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00403446), ref: 00474518
                                                                                    Strings
                                                                                    • Text1, xrefs: 004744F7
                                                                                    • Automatically Switch Between Applications At Certain Times Software, xrefs: 004744FC
                                                                                    • Sobolsoft, xrefs: 00474501
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$#690CheckHresult
                                                                                    • String ID: Automatically Switch Between Applications At Certain Times Software$Sobolsoft$Text1
                                                                                    • API String ID: 488416567-308836237
                                                                                    • Opcode ID: c6461faa5e15d44dc4c74e1cd97cb770619906b263029e1657fc839f7a1591c5
                                                                                    • Instruction ID: a6bb686df879f225a2af6fcd7d1748d34696fa2a04c03dfb7dc2de5e1444db71
                                                                                    • Opcode Fuzzy Hash: c6461faa5e15d44dc4c74e1cd97cb770619906b263029e1657fc839f7a1591c5
                                                                                    • Instruction Fuzzy Hash: 14114771900209ABC7009F94C949AEBBFB8FB84705F20816AF946B3291C7785945CBD4
                                                                                    Function 00465080 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 60COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00403446), ref: 004650D6
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040AFD4,000000A8,?,?,?,?,?,?,?,?,00403446), ref: 004650FD
                                                                                    • #690.MSVBVM60(Sobolsoft,Automatically Switch Between Applications At Certain Times Software,Weekly,?,?,?,?,?,?,?,?,?,00403446), ref: 00465116
                                                                                    • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00403446), ref: 0046511F
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00403446), ref: 00465128
                                                                                    Strings
                                                                                    • Weekly, xrefs: 00465107
                                                                                    • Automatically Switch Between Applications At Certain Times Software, xrefs: 0046510C
                                                                                    • Sobolsoft, xrefs: 00465111
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$Free$#690CheckHresult
                                                                                    • String ID: Automatically Switch Between Applications At Certain Times Software$Sobolsoft$Weekly
                                                                                    • API String ID: 488416567-1414040391
                                                                                    • Opcode ID: 3be150285a095f47f2e54364b7cad44a75e64baad969a56510291f7d5e76450c
                                                                                    • Instruction ID: b2b11e1c5a0cd16e9f9d0965bdc3dbbaa0c2e08d8e9e9b027cfbff0ae5c30e50
                                                                                    • Opcode Fuzzy Hash: 3be150285a095f47f2e54364b7cad44a75e64baad969a56510291f7d5e76450c
                                                                                    • Instruction Fuzzy Hash: 1B113A75D00206EBCB009F94CD49EEEBFB8EF45705F20816AF845B32A0DA785945CBD5
                                                                                    Function 100C9300 Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #4459.MFC42(?), ref: 100C9308
                                                                                    • SendMessageA.USER32(?,00000406,?,?), ref: 100C9337
                                                                                    • SendMessageA.USER32(?,00000402,?,00000000), ref: 100C934B
                                                                                    • #4287.MFC42(00020200,00000000,00000000,?,?,?), ref: 100C9358
                                                                                    • #6197.MFC42(00000000,00000000,00000000,00000000,00000000,00000037,00020200,00000000,00000000,?,?,?), ref: 100C9372
                                                                                    • #1614.MFC42 ref: 100C9383
                                                                                    • SendMessageA.USER32(?,0000040A,00000001,?), ref: 100C93D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$#1614#4287#4459#6197
                                                                                    • String ID:
                                                                                    • API String ID: 3659836372-0
                                                                                    • Opcode ID: 681c573b897ff0ecae63ea94a74cad59559b27cc2933e5a58fe90ea40270bd0a
                                                                                    • Instruction ID: f3fac3be17431e645215817b4af3e26299032087cf43a1350b47bb25e2bd6dcd
                                                                                    • Opcode Fuzzy Hash: 681c573b897ff0ecae63ea94a74cad59559b27cc2933e5a58fe90ea40270bd0a
                                                                                    • Instruction Fuzzy Hash: AA217A75300740ABE620C6758D86FAFB2D9EB88B40F004919FA569B2C0DBB0FE418664
                                                                                    Function 032C5990 Relevance: 12.1, APIs: 8, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?), ref: 032C59B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: OpenProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3743895883-0
                                                                                    • Opcode ID: 00dbabb7bc0daa84fba2e7efaadcc88bdeab10e5a6268fa476ab17fa406d4cd4
                                                                                    • Instruction ID: a832315eb9147f9a25373efc89858686443c6c6b733667806eb3fb2d3eb8771a
                                                                                    • Opcode Fuzzy Hash: 00dbabb7bc0daa84fba2e7efaadcc88bdeab10e5a6268fa476ab17fa406d4cd4
                                                                                    • Instruction Fuzzy Hash: EA214275610201AFE710EF2AFC89AAB77ECEFC5A25F44457DF845C2110F770E54986A2
                                                                                    Function 032C5C80 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(PSAPI.DLL,?,032C5CF0,032C5D45,00000000,032C2DF8,00000000,?,?,?), ref: 032C5C88
                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?), ref: 032C5CA5
                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 032C5CB5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                    • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$PSAPI.DLL
                                                                                    • API String ID: 310444273-467172384
                                                                                    • Opcode ID: 557c0bdfe77b5d9e325d7e5b2ac4617929e365d57c140021a9ed25caf2090900
                                                                                    • Instruction ID: 3156f275b0561dab79128f1b43252e8b1934ffccf1e4412658a9b3e60f73176d
                                                                                    • Opcode Fuzzy Hash: 557c0bdfe77b5d9e325d7e5b2ac4617929e365d57c140021a9ed25caf2090900
                                                                                    • Instruction Fuzzy Hash: A4E01AB07617034FD728AF3EEA0D65B75D8AF06B54314853DE456D2651EAA0E8C48B10
                                                                                    Function 100CABE0 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 100A84B0: #537.MFC42 ref: 100A84DC
                                                                                      • Part of subcall function 100A84B0: #536.MFC42(00000052,00000001), ref: 100A84F1
                                                                                      • Part of subcall function 100A84B0: #536.MFC42(00000053,00000001,00000052,00000001), ref: 100A8504
                                                                                      • Part of subcall function 100A84B0: #536.MFC42(0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A8517
                                                                                      • Part of subcall function 100A84B0: #922.MFC42(?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A8528
                                                                                      • Part of subcall function 100A84B0: #922.MFC42(?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A8539
                                                                                      • Part of subcall function 100A84B0: #924.MFC42(?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A854E
                                                                                      • Part of subcall function 100A84B0: #939.MFC42(00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A855D
                                                                                      • Part of subcall function 100A84B0: #800.MFC42(00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A856B
                                                                                      • Part of subcall function 100A84B0: #800.MFC42(00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A8579
                                                                                      • Part of subcall function 100A84B0: #800.MFC42(00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A8587
                                                                                      • Part of subcall function 100A84B0: #800.MFC42(00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A8595
                                                                                      • Part of subcall function 100A84B0: #800.MFC42(00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A85A3
                                                                                      • Part of subcall function 100A84B0: #800.MFC42(00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001,00000052,00000001), ref: 100A85B0
                                                                                      • Part of subcall function 100A84B0: #536.MFC42(00000041,00000001,00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001,00000053,00000001), ref: 100A85BC
                                                                                      • Part of subcall function 100A84B0: #536.MFC42(00000054,00000001,00000041,00000001,00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000,0000004E,00000001), ref: 100A85CF
                                                                                      • Part of subcall function 100A84B0: #536.MFC42(00000056,00000001,00000054,00000001,00000041,00000001,00000000,?,00000000,1013CDE4,?,00000000,00000000,?,00000000,00000000), ref: 100A85E2
                                                                                      • Part of subcall function 100A84B0: #922.MFC42(?,00000000,00000000,00000056,00000001,00000054,00000001,00000041,00000001,00000000,?,00000000,1013CDE4,?,00000000,00000000), ref: 100A85F3
                                                                                      • Part of subcall function 100A84B0: #922.MFC42(?,00000000,00000000,?,00000000,00000000,00000056,00000001,00000054,00000001,00000041,00000001,00000000,?,00000000,1013CDE4), ref: 100A8604
                                                                                    • #537.MFC42(1013CC68,?,?,?,?,?,?,?,?,100F8918,000000FF), ref: 100CAC1B
                                                                                    • #922.MFC42(?,00000000,?,1013CC68,?,?,?,?,?,?,?,?,100F8918,000000FF), ref: 100CAC30
                                                                                    • #1601.MFC42(?,00000000,?,1013CC68,?,?,?,?,?,?,?,?,100F8918,000000FF), ref: 100CAC44
                                                                                    • #800.MFC42(?,00000000,?,1013CC68,?,?,?,?,?,?,?,?,100F8918,000000FF), ref: 100CAC5D
                                                                                    • #800.MFC42(?,00000000,?,1013CC68,?,?,?,?,?,?,?,?,100F8918,000000FF), ref: 100CAC6B
                                                                                    • #800.MFC42(?,00000000,?,1013CC68,?,?,?,?,?,?,?,?,100F8918,000000FF), ref: 100CAC7C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #800$#536$#922$#537$#1601#924#939
                                                                                    • String ID:
                                                                                    • API String ID: 103124348-0
                                                                                    • Opcode ID: eb19142f811e70f4257bf81ad846341b7ab4d3de9c248c26dd4ab5f508ebd951
                                                                                    • Instruction ID: 13fbacb42fe4fdb221457406d66f8552e5d15d132c37fa9f19c2bb18b34755eb
                                                                                    • Opcode Fuzzy Hash: eb19142f811e70f4257bf81ad846341b7ab4d3de9c248c26dd4ab5f508ebd951
                                                                                    • Instruction Fuzzy Hash: 26118C751083829FC314DF68C885B9FBBE4EB94710F144A1DB4A593392DB78AA4CC7E2
                                                                                    Function 032F5E7E Relevance: 9.0, APIs: 6, Instructions: 25memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #1176#1243Local$AllocFree
                                                                                    • String ID:
                                                                                    • API String ID: 2308495640-0
                                                                                    • Opcode ID: 0ed96d856206a4c4ebbc8ce123a01cdd6f77592c3fa3fb2f35471e489982eba3
                                                                                    • Instruction ID: cfedba909d4920f396502099b84c55b98559ba750d0f6be734dbf6121d473654
                                                                                    • Opcode Fuzzy Hash: 0ed96d856206a4c4ebbc8ce123a01cdd6f77592c3fa3fb2f35471e489982eba3
                                                                                    • Instruction Fuzzy Hash: 93E01234564302AED621F771E84DB0FEAD89B02B55F249839F21599095DBF1D4C0C695
                                                                                    Function 00485950 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __vbaNew2.MSVBVM60(0040BCB8,004878D8,?,?,?,?,?,?,?,?,?,00000000,00403446), ref: 00485994
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,0296262C,0040BCA8,00000014,?,?,?,?,?,?,?,?,?,00000000,00403446), ref: 004859B9
                                                                                    • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040BCC8,00000100,?,?,?,?,?,?,?,?,?,00000000,00403446), ref: 004859E3
                                                                                    • __vbaSetSystemError.MSVBVM60(0000000D,00485800,?,00000000,?,?,?,?,?,?,?,?,?,00000000,00403446), ref: 004859FC
                                                                                    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000000,00403446), ref: 00485A0B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: __vba$CheckHresult$ErrorFreeNew2System
                                                                                    • String ID:
                                                                                    • API String ID: 3252491692-0
                                                                                    • Opcode ID: 0b592f5a354ac8fc76f939132b8c545df66b743e63c578d1c52e5ab6e45b55d6
                                                                                    • Instruction ID: 6e850adf4352484faee82d42d2a08ff046fd3ae6d03794004b431849aea33f8a
                                                                                    • Opcode Fuzzy Hash: 0b592f5a354ac8fc76f939132b8c545df66b743e63c578d1c52e5ab6e45b55d6
                                                                                    • Instruction Fuzzy Hash: 48119370A40605EBD700EBA5DD8AF9F7BB8EB54701F20052AF105B71A0C67859418BA9
                                                                                    Function 032C2EA0 Relevance: 6.1, APIs: 4, Instructions: 129memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ImageDirectoryEntryToData.IMAGEHLP(?,00000001,00000001,?,?,00000000,00000000,?), ref: 032C2EF7
                                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 032C2F91
                                                                                    • VirtualProtect.KERNEL32(?,00000000,00000004,?), ref: 032C2FAB
                                                                                    • VirtualProtect.KERNEL32(?,00000000,?,?), ref: 032C2FCA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Protect$DataDirectoryEntryImageQuery
                                                                                    • String ID:
                                                                                    • API String ID: 258705335-0
                                                                                    • Opcode ID: 482aa290c86c679375f065ab81c38bcfddcf3b45e46a5b300244527a206bbb7b
                                                                                    • Instruction ID: b11667fa1695c7e70b0344254e43a2c3dca639f05a90555640980b4914fc582c
                                                                                    • Opcode Fuzzy Hash: 482aa290c86c679375f065ab81c38bcfddcf3b45e46a5b300244527a206bbb7b
                                                                                    • Instruction Fuzzy Hash: 83417076A2034AEBDF14DF58D940FAAB3B8FB45720F18862DE81597280DB71E941CB60
                                                                                    Function 032F5020 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #2414.MFC42(?,?,?,?,00000000,00000000,?,032FA768,000000FF,032AB6DA,?), ref: 032F502E
                                                                                    • free.MSVCRT ref: 032F5088
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #2414free
                                                                                    • String ID:
                                                                                    • API String ID: 828156691-0
                                                                                    • Opcode ID: 93ee493ea770fc2e5eabaad7fcf46a69366f023b5ddd60b9a40fd90fb940864d
                                                                                    • Instruction ID: dd14b5854ce606a02ee5355e655d72b6137d664c78f219c33e6a617adb7f0af5
                                                                                    • Opcode Fuzzy Hash: 93ee493ea770fc2e5eabaad7fcf46a69366f023b5ddd60b9a40fd90fb940864d
                                                                                    • Instruction Fuzzy Hash: B12195B66243015FD304EE2DD8449ABF7A8EFE4614F14C83EF98687211F670D559C7A2
                                                                                    Function 032C5930 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?), ref: 032C594D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: OpenProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3743895883-0
                                                                                    • Opcode ID: d1ccc7a8509ec337c815358bd314295a1c6b962b8dbd47c87da8d5d2b6e03266
                                                                                    • Instruction ID: 02624e94fab30f59ed41419b62d4dfc8290185effe2716020f7c7a25ccdb5bce
                                                                                    • Opcode Fuzzy Hash: d1ccc7a8509ec337c815358bd314295a1c6b962b8dbd47c87da8d5d2b6e03266
                                                                                    • Instruction Fuzzy Hash: 19F06D323241116FE350AA6AF808FDBE798FB95730F01856AF445C6244C760E89286F0
                                                                                    Function 100803A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #823.MFC42(00000050,?,?,100F27EA,000000FF), ref: 100803C8
                                                                                    Strings
                                                                                    • LinearGradientBrush, xrefs: 100803F4
                                                                                    • CXTPMarkupLinearGradientBrush, xrefs: 100803EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #823
                                                                                    • String ID: CXTPMarkupLinearGradientBrush$LinearGradientBrush
                                                                                    • API String ID: 3944439427-1366942979
                                                                                    • Opcode ID: 9adf35ea60b63c742cab20131e6d59c5f50179431c6819fe643417113d82a5d5
                                                                                    • Instruction ID: 8f0ecd3ce3664392960ae3faedd4bb45288b92573c78496d16f7f99a04c7e411
                                                                                    • Opcode Fuzzy Hash: 9adf35ea60b63c742cab20131e6d59c5f50179431c6819fe643417113d82a5d5
                                                                                    • Instruction Fuzzy Hash: E3F0B4B5D50A40BFD781CF258C01B5976E0F784610F808A3EF50EE6B90E33CA4009B01
                                                                                    Function 032D0A40 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 032D0A61
                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 032D0A90
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 116a6d225c7b5bf427c5909f92fb659846b83ad9a8faffe7d2619fd2edfe4c80
                                                                                    • Instruction ID: a0b74a0ed1778558e2492b495032a4b57f3be407b7a15dfbc4d213a8908d4219
                                                                                    • Opcode Fuzzy Hash: 116a6d225c7b5bf427c5909f92fb659846b83ad9a8faffe7d2619fd2edfe4c80
                                                                                    • Instruction Fuzzy Hash: 2E21C7B6214101AFC610CB59C988D2BF7BAEFD8714F28C54DF64D8B229D631E842CB61
                                                                                    Function 032D1130 Relevance: 4.5, APIs: 3, Instructions: 40timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 032C16F0: #823.MFC42(00000080,?,?,032F8D4B,000000FF,032BF0EB), ref: 032C1714
                                                                                    • IsWindow.USER32(?), ref: 032D1174
                                                                                    • #3797.MFC42 ref: 032D1180
                                                                                    • SetTimer.USER32(?,00000ACD,000003E8,00000000), ref: 032D119C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #3797#823TimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2031376116-0
                                                                                    • Opcode ID: 1c412162efdc49d5c86ac09ce0e155015654c83cf215fef3f55f4e52cea3cec7
                                                                                    • Instruction ID: 885009673096c1e688719537d1cd8a2ec3bf17b561813bb0b712a25fca87cff8
                                                                                    • Opcode Fuzzy Hash: 1c412162efdc49d5c86ac09ce0e155015654c83cf215fef3f55f4e52cea3cec7
                                                                                    • Instruction Fuzzy Hash: 77F028307B430217E651EB76D808F2E6B9AAF80E50F1C402CA9808B5C5CB10F4928361
                                                                                    Function 032D0FA0 Relevance: 4.5, APIs: 3, Instructions: 22threadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 032D0FB4
                                                                                    • GetCurrentProcessId.KERNEL32 ref: 032D0FBE
                                                                                    • PostMessageA.USER32(?,00000015,00000000,00000000), ref: 032D0FD1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentMessagePostThreadWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3892668960-0
                                                                                    • Opcode ID: 58a9a7f0b9ea428fd76d22570fff80350bb6625ab14d3466e5d3c8a969507f8e
                                                                                    • Instruction ID: 2ccdb39e6dbc14ee4a1ce7a3465965918e9e639c659a5670bf677de36bd53741
                                                                                    • Opcode Fuzzy Hash: 58a9a7f0b9ea428fd76d22570fff80350bb6625ab14d3466e5d3c8a969507f8e
                                                                                    • Instruction Fuzzy Hash: 8AE04F30115311BFE710AB10EC0CB9B77ACEF44B55F14C029F585EA180EB70A8419665
                                                                                    Function 032C10A0 Relevance: 4.5, APIs: 3, Instructions: 22threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 032C10A2
                                                                                    • #3030.MFC42(032C23D0), ref: 032C10B4
                                                                                    • SetWindowsHookExA.USER32(00000005,032C1670,00000000,00000000), ref: 032C10D0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #3030CurrentHookThreadWindows
                                                                                    • String ID:
                                                                                    • API String ID: 1481290026-0
                                                                                    • Opcode ID: fe4499d9952d9a3606c801d005c8f010b0c6ff6c6df7c52aaddf29ded56c9ae5
                                                                                    • Instruction ID: 0869f280d88bd7fd0387a7ec0e1b95d25fe9433e6ee5113c2c75ac83c5b9e1e5
                                                                                    • Opcode Fuzzy Hash: fe4499d9952d9a3606c801d005c8f010b0c6ff6c6df7c52aaddf29ded56c9ae5
                                                                                    • Instruction Fuzzy Hash: 7EE08635730B915BC230AA76B809B1B6598CB81F61F05412CF9169B545DA60E8818694
                                                                                    Function 100EB602 Relevance: 3.8, APIs: 3, Instructions: 54COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: _inittermfreemalloc
                                                                                    • String ID:
                                                                                    • API String ID: 1678931842-0
                                                                                    • Opcode ID: 23a5129640f6e82060d844ccb0d3500a85f08b0e5a985419a436c1c159da958e
                                                                                    • Instruction ID: 7da100ae2c5fa4d4777e08d54398c0ae15af6f936c711d436b1a79639730c863
                                                                                    • Opcode Fuzzy Hash: 23a5129640f6e82060d844ccb0d3500a85f08b0e5a985419a436c1c159da958e
                                                                                    • Instruction Fuzzy Hash: 221170316046628FD708CB66DDD4A973BE5FB413A6B55001DE502EA974EB3DA880CB60
                                                                                    Function 10089EA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #823.MFC42(00000050,?,?,100F38BA,000000FF), ref: 10089EC8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #823
                                                                                    • String ID: CXTPMarkupInputElement
                                                                                    • API String ID: 3944439427-1908325797
                                                                                    • Opcode ID: b0484d2aa923d335d28711e6d19f6c05e41131953ab3698ae900e71c6aa98fcc
                                                                                    • Instruction ID: 8bd058ae94c1f3ff950bb77155ac94e27226be180c2f6471c8b093fb92281307
                                                                                    • Opcode Fuzzy Hash: b0484d2aa923d335d28711e6d19f6c05e41131953ab3698ae900e71c6aa98fcc
                                                                                    • Instruction Fuzzy Hash: BCF06DB0E44A40AFD755DF158C02B567AD0F784A10F448A2AF11AD6B91E73CA400CA45
                                                                                    Function 032CC420 Relevance: 3.1, APIs: 2, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #823.MFC42(00000018,00000000,?,032CC7AE,?,?,?,?), ref: 032CC424
                                                                                      • Part of subcall function 032C66C0: sscanf.MSVCRT ref: 032C66F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #823sscanf
                                                                                    • String ID:
                                                                                    • API String ID: 2156382062-0
                                                                                    • Opcode ID: 4f8040795329471cbebb31218102784786bf6dd10ac39263c6a4340d48961cdb
                                                                                    • Instruction ID: 5c551485b3fea34d3481a30b910be4611afa6f6707f8d566934293e2555eaaee
                                                                                    • Opcode Fuzzy Hash: 4f8040795329471cbebb31218102784786bf6dd10ac39263c6a4340d48961cdb
                                                                                    • Instruction Fuzzy Hash: 33216FBA7242615BC510EF69F80485FE7D9DFD0961B180A2EF585D7340CA74DC8A87E2
                                                                                    Function 032C2DA0 Relevance: 3.1, APIs: 2, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #1168.MFC42(00000000,?,?,?,?,?,?,00000000), ref: 032C2DDC
                                                                                    • GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 032C2DE8
                                                                                      • Part of subcall function 032C5D30: #823.MFC42(00000020,00000000,00000000,032C2DF8,00000000,?,?,?), ref: 032C5D4D
                                                                                      • Part of subcall function 032C28C0: #800.MFC42 ref: 032C2929
                                                                                      • Part of subcall function 032C2EA0: ImageDirectoryEntryToData.IMAGEHLP(?,00000001,00000001,?,?,00000000,00000000,?), ref: 032C2EF7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #1168#800#823CurrentDataDirectoryEntryImageProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3004089271-0
                                                                                    • Opcode ID: fae720f281c5422d9a5e97fae19256f87511ec9021aeab9ff39b4a6176dd4e5f
                                                                                    • Instruction ID: 4f6552094428d316a194a2df7cbd142f8ad1dee2bffddc775c34afd51b303e25
                                                                                    • Opcode Fuzzy Hash: fae720f281c5422d9a5e97fae19256f87511ec9021aeab9ff39b4a6176dd4e5f
                                                                                    • Instruction Fuzzy Hash: B6217E756247829BDB14EF19C940B2BF3E9EB88A10F440B2CF945A7280DF70EC4487E2
                                                                                    Function 032C3C50 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 032C3C7E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 706cb1b13015327138b6a42ed78979a07c8d3aa61e607a3b7758f0366f7c90ce
                                                                                    • Instruction ID: 62adc45be2193f9dfb29a34dab2c8f60b49033be25b60dc5f3423c98fb3bec47
                                                                                    • Opcode Fuzzy Hash: 706cb1b13015327138b6a42ed78979a07c8d3aa61e607a3b7758f0366f7c90ce
                                                                                    • Instruction Fuzzy Hash: AE119076315344AFD200DA01DC84DABB7ECEBC8265F044A1EFA4593200DB35EE448BB2
                                                                                    Function 032D0FF0 Relevance: 3.1, APIs: 2, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumWindows.USER32(Function_00030FA0,00000000), ref: 032D1002
                                                                                    • IsWindow.USER32(?), ref: 032D105B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumWindowWindows
                                                                                    • String ID:
                                                                                    • API String ID: 4176303037-0
                                                                                    • Opcode ID: 6b6d583eb2128455c107855cd3e5359fdd21de9b8d0cb9cd5607e337294e3c4f
                                                                                    • Instruction ID: b1ecf76dbd4ebe29768fde6c4881d3852c53271000fecb2a63ec515bbab61994
                                                                                    • Opcode Fuzzy Hash: 6b6d583eb2128455c107855cd3e5359fdd21de9b8d0cb9cd5607e337294e3c4f
                                                                                    • Instruction Fuzzy Hash: B6115C31A101618BDB61FE15E88096EB36AEF84B6172D8258EC52AF741D631FCD287C0
                                                                                    Function 032C2C50 Relevance: 3.1, APIs: 2, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #1153.MFC42(?,00000000,?,?,?,?,032C2AFD,?,?,?,?,?,00000000), ref: 032C2CCB
                                                                                    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,032C2AFD,?,?,?,?,?,00000000), ref: 032C2CE4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #1153InfoSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2097740819-0
                                                                                    • Opcode ID: 6dc4c593eaec8046e8672c06fadcca33316b7e132f8a03a1068c1681c0a9d95f
                                                                                    • Instruction ID: 14ace52b220a07a4d89ff907a070e63fe6755dc40eba572bb0f205fc3a424313
                                                                                    • Opcode Fuzzy Hash: 6dc4c593eaec8046e8672c06fadcca33316b7e132f8a03a1068c1681c0a9d95f
                                                                                    • Instruction Fuzzy Hash: FA21CF716242008FCB1CDF29D48091ABBE6FB88320B4A866DF91ACB394DB71D844CB44
                                                                                    Function 032C36D0 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetScrollInfo.USER32(?,?,?,?), ref: 032C36F8
                                                                                    • SetScrollInfo.USER32(?,?,?,00000000,?), ref: 032C3736
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoScroll
                                                                                    • String ID:
                                                                                    • API String ID: 629608716-0
                                                                                    • Opcode ID: 746ccc501d8c6efabbcc0d44e1977e1a5f1b1b63888c1ca6c6360f49953f5990
                                                                                    • Instruction ID: ce7f232540228b1ab2920b9422a9e84442ca9d22f04bc34ccd1d2f57c5eb0387
                                                                                    • Opcode Fuzzy Hash: 746ccc501d8c6efabbcc0d44e1977e1a5f1b1b63888c1ca6c6360f49953f5990
                                                                                    • Instruction Fuzzy Hash: 0E010C763143055BC100EA68DC84E6BB7DCDBC5261F048A2EF54187201DAB5EC4587B1
                                                                                    Function 032D8040 Relevance: 3.1, APIs: 2, Instructions: 51windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #2379.MFC42 ref: 032D8046
                                                                                      • Part of subcall function 032A8E60: IsWindow.USER32(?), ref: 032A8E74
                                                                                      • Part of subcall function 032A8E60: GetWindowRect.USER32(?), ref: 032A8E84
                                                                                      • Part of subcall function 032D78F0: SetWindowRgn.USER32(032D616B,00000000,00000001), ref: 032D792E
                                                                                      • Part of subcall function 032D78F0: SetWindowRgn.USER32(00000002,00000000,00000001), ref: 032D7987
                                                                                      • Part of subcall function 032D78D0: #3797.MFC42(032D745C,?,00000000,00000000), ref: 032D78D0
                                                                                    • PostMessageA.USER32(?,00000085,00000000,00000000), ref: 032D80CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$#2379#3797MessagePostRect
                                                                                    • String ID:
                                                                                    • API String ID: 1282420808-0
                                                                                    • Opcode ID: 75aaa0c84a5c6d9643f43fd78a58af8795153b8262eda49609c83bc31a0b75bb
                                                                                    • Instruction ID: 4750541999c523cd1e4d481aa4e20227f1371794ceee128a9fa8282df284fa49
                                                                                    • Opcode Fuzzy Hash: 75aaa0c84a5c6d9643f43fd78a58af8795153b8262eda49609c83bc31a0b75bb
                                                                                    • Instruction Fuzzy Hash: B1112A746147029FD718EF28D964A6BFBE5FF89310F058A5DA48ACB390DA70E840CB85
                                                                                    Function 032C2B60 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 032C2B87
                                                                                    • CallWindowProcA.USER32(?,?,?,?,?), ref: 032C2BA5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: da8e8ed7afec31bd57805b6ef586e9e42a3d2e277a0c4a7e2db146a4a29de79f
                                                                                    • Instruction ID: aaa1559ad210bce7bfbf94bf2c116e4be269db0555e8e4c46dbecb66e1e23fa9
                                                                                    • Opcode Fuzzy Hash: da8e8ed7afec31bd57805b6ef586e9e42a3d2e277a0c4a7e2db146a4a29de79f
                                                                                    • Instruction Fuzzy Hash: 45F074B6618342AFD604DF94D994D2BB3E9ABC8710F04CE0CB69983254DB30E804CB72
                                                                                    Function 032C4CD0 Relevance: 3.0, APIs: 2, Instructions: 22libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 85e4e8fd5b9c58e33c139f6fc7a4124aac1795a2e35e82e52ad42feddedee73a
                                                                                    • Instruction ID: 16370b679009a6fac314ae9eb2c92e3bec2ef46ce6bccefc098c122e209c5848
                                                                                    • Opcode Fuzzy Hash: 85e4e8fd5b9c58e33c139f6fc7a4124aac1795a2e35e82e52ad42feddedee73a
                                                                                    • Instruction Fuzzy Hash: 03E012BA73439067DA11F6B56D18F5B61989F90655F004928F609CB244DD74DD40C3A9
                                                                                    Function 00403814 Relevance: 2.6, APIs: 1, Instructions: 1145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2502416060.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2502242796.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2502792126.0000000000487000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2503048814.000000000048A000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_400000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #100
                                                                                    • String ID:
                                                                                    • API String ID: 1341478452-0
                                                                                    • Opcode ID: c7d6f3a39aeaceaa12279ba137e13bbfd00b19da1de5b88fa772e26d65998424
                                                                                    • Instruction ID: 9f15c12d86fb9c4b5b50fc8ca1fdc4c045cb74d5bbdd083f0ae5284cfa882fab
                                                                                    • Opcode Fuzzy Hash: c7d6f3a39aeaceaa12279ba137e13bbfd00b19da1de5b88fa772e26d65998424
                                                                                    • Instruction Fuzzy Hash: D4410BA246E7C24FD7131B3049741957FB8AE2322574A41EBE4C1EF1E3E26C4E09C76A
                                                                                    Function 032BF3D0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a7278001f07436964d95fac099c968dea2d42fb1112bcfc5fe3a216eb20cedcf
                                                                                    • Instruction ID: 9852ba0506ad8130bf94124b1555bb1c4eaccc8dd96f7c5217289254dd74c5b6
                                                                                    • Opcode Fuzzy Hash: a7278001f07436964d95fac099c968dea2d42fb1112bcfc5fe3a216eb20cedcf
                                                                                    • Instruction Fuzzy Hash: 1D1190756143019FD714EF15E880BABBBF8EF90360F04842EE84A8B210E674E889C761
                                                                                    Function 032C3CF0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 032C3D18
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 181713994-0
                                                                                    • Opcode ID: fbfa08ba34b682c8d5f77dc56b03c93d5115f3e0f7459d25e627db70db5c5d8c
                                                                                    • Instruction ID: 44775ca05068f04e30df78b40da45693300cb7ecb01c07d55796c7ef2d735f07
                                                                                    • Opcode Fuzzy Hash: fbfa08ba34b682c8d5f77dc56b03c93d5115f3e0f7459d25e627db70db5c5d8c
                                                                                    • Instruction Fuzzy Hash: 9F01C876214345AFD210DA55DC88EABB7ECFBC8765F108E1EF68587240DA74D805CBB2
                                                                                    Function 032C2A90 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #823.MFC42(00000048,?,?,?,?,032F8EFB,000000FF,032C2A65,?,?,?,00000000,00000000,00000000), ref: 032C2ACB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #823
                                                                                    • String ID:
                                                                                    • API String ID: 3944439427-0
                                                                                    • Opcode ID: e318cd71c4262a4b2f22e557e66c71d1d95dba07f459c9856d263be85467bfbb
                                                                                    • Instruction ID: 37834a6abb1a0c6746273bc8b247097b32205f0ec1d59260f04d8f03a451fa48
                                                                                    • Opcode Fuzzy Hash: e318cd71c4262a4b2f22e557e66c71d1d95dba07f459c9856d263be85467bfbb
                                                                                    • Instruction Fuzzy Hash: E6018EB66187519FC210CF18A880A1BF7E5E7CCA20F048B3EF55993380DA7599458BA2
                                                                                    Function 032D8F80 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #5163
                                                                                    • String ID:
                                                                                    • API String ID: 2496910750-0
                                                                                    • Opcode ID: 8628222d66efa22fbb75a90822c23c8cd64fd189106ee189ac816b2815d67070
                                                                                    • Instruction ID: b59353bec31db99cbef64abfd072ea31615f49cff9b7d6630c8e19eaa2bc1600
                                                                                    • Opcode Fuzzy Hash: 8628222d66efa22fbb75a90822c23c8cd64fd189106ee189ac816b2815d67070
                                                                                    • Instruction Fuzzy Hash: 84E01A76304312AFE614CA49C884D7FE3EDEBD8651F15482EF14187351D7A0AC4186A2
                                                                                    Function 1009E9B0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #5163
                                                                                    • String ID:
                                                                                    • API String ID: 2496910750-0
                                                                                    • Opcode ID: aee84c008ab5242caafff73f9cb0dfff9b2c71f323164d28c08b21e16868c5d5
                                                                                    • Instruction ID: 9babec8c20af0df045677534ebf5447b8f6fbf4fe29b34558b3f4de48b2befb3
                                                                                    • Opcode Fuzzy Hash: aee84c008ab5242caafff73f9cb0dfff9b2c71f323164d28c08b21e16868c5d5
                                                                                    • Instruction Fuzzy Hash: 4BD012766082815FD780CD39C945F2766D8E7C8340F048D1C7289C2244C724DD01A721
                                                                                    Function 032D7A60 Relevance: 1.5, APIs: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageA.USER32(?,00000015,00000000,00000000), ref: 032D7A80
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost
                                                                                    • String ID:
                                                                                    • API String ID: 410705778-0
                                                                                    • Opcode ID: 54305ddb208e88ff213a3ed767e6024914307f95ca478e71430c5696b2e92bed
                                                                                    • Instruction ID: 01972335a79f3dc2910a731a334c1a432f3e60ace045162c654f4a99f2321cee
                                                                                    • Opcode Fuzzy Hash: 54305ddb208e88ff213a3ed767e6024914307f95ca478e71430c5696b2e92bed
                                                                                    • Instruction Fuzzy Hash: BDD0C7716157109FD768DF38E809AD776D8FB4D310F054A2E718AC6240EAF0E8008750
                                                                                    Function 032D6590 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FlatSB_GetScrollProp.COMCTL32(?,00000100), ref: 032D65A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: FlatPropScroll
                                                                                    • String ID:
                                                                                    • API String ID: 3625857538-0
                                                                                    • Opcode ID: a94f43829a6f5895aef9cfc82b272f5f5fa7bcc11bcaf7b14fa964cc600583b3
                                                                                    • Instruction ID: 7d011bdab66025c2ebeb89a62c920223494b2e40a2ee9f4778cc76f029fd45fb
                                                                                    • Opcode Fuzzy Hash: a94f43829a6f5895aef9cfc82b272f5f5fa7bcc11bcaf7b14fa964cc600583b3
                                                                                    • Instruction Fuzzy Hash: 69C012B015C206BFD704CF64E808F2633E8E788316F20861CB04AC61C0C77094058B25
                                                                                    Function 032AA560 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DrawTextA.USER32(?,?,?,?,?), ref: 032AA578
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: DrawText
                                                                                    • String ID:
                                                                                    • API String ID: 2175133113-0
                                                                                    • Opcode ID: 6dc2d4b21bd9f8d8044e61be92fde7af5c6c52c4b070a661e9fde72da25975c8
                                                                                    • Instruction ID: 4fdbbd1e54fcb8f2a6cb69d49060dd65774e5281ac26a116c21d16286e020b43
                                                                                    • Opcode Fuzzy Hash: 6dc2d4b21bd9f8d8044e61be92fde7af5c6c52c4b070a661e9fde72da25975c8
                                                                                    • Instruction Fuzzy Hash: 29D0E9BA604204BFC640DA98D984D1BB7FDFBCC710F21C908B199C3205C731E802CB61
                                                                                    Function 100CA1F0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2511534440.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2511428626.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513471785.00000000100FB000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513597721.0000000010134000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513663159.0000000010135000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513780742.000000001013D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2513834204.0000000010143000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_10000000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: #4798
                                                                                    • String ID:
                                                                                    • API String ID: 950536974-0
                                                                                    • Opcode ID: 3e3db00a070e60f5d025e8eefb90c1ff337b16818ab4eed28b5a621eaaf6d186
                                                                                    • Instruction ID: 4c9638d22fed9d9c301b07c2f5944d90226d3587f333334b9f23f3fb47448063
                                                                                    • Opcode Fuzzy Hash: 3e3db00a070e60f5d025e8eefb90c1ff337b16818ab4eed28b5a621eaaf6d186
                                                                                    • Instruction Fuzzy Hash: 69B0127D108300BF8100E610C880C2BB3A9FBD9600F00C80874C482110C130FC409721
                                                                                    Function 032E5190 Relevance: 1.3, APIs: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: free
                                                                                    • String ID:
                                                                                    • API String ID: 1294909896-0
                                                                                    • Opcode ID: cc0df41b804102e9bf1e8790b5eb79220470b5bfd7aab22cd028032b1d44109f
                                                                                    • Instruction ID: e7afce6915df28b793eb2d8224e04fa075d14778f7ed297859216f042a89c4d5
                                                                                    • Opcode Fuzzy Hash: cc0df41b804102e9bf1e8790b5eb79220470b5bfd7aab22cd028032b1d44109f
                                                                                    • Instruction Fuzzy Hash: 25E020B592C3015BD738EB20DC0D7BF7290BFC0300F64462C985D41640E73BD5188643
                                                                                    Function 032E5230 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: malloc
                                                                                    • String ID:
                                                                                    • API String ID: 2803490479-0
                                                                                    • Opcode ID: bf6666d616f9c98b3aa170c89b87a859c6cbb3a4746a371143e352759ad2a4e2
                                                                                    • Instruction ID: 41d7dbf1db99f306ad5cd0486cfc5762a440c08fdc18a88288e69816c54237d1
                                                                                    • Opcode Fuzzy Hash: bf6666d616f9c98b3aa170c89b87a859c6cbb3a4746a371143e352759ad2a4e2
                                                                                    • Instruction Fuzzy Hash: 7BC08CB07202025BDF20CE34E889A07BBD8BF81944F8C8838B40AC2110EB35E890EA12
                                                                                    Function 032E5280 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000012.00000002.2509241031.00000000032A1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 032A0000, based on PE: true
                                                                                    • Associated: 00000012.00000002.2509125959.00000000032A0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509362768.00000000032FB000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509461761.000000000330E000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509524056.0000000003310000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509601780.0000000003313000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                    • Associated: 00000012.00000002.2509664444.0000000003316000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_18_2_32a0000_Automatically Switch Between Applications At Certain Times Software.jbxd
                                                                                    Similarity
                                                                                    • API ID: free
                                                                                    • String ID:
                                                                                    • API String ID: 1294909896-0
                                                                                    • Opcode ID: bddedb282a95cae5db3fc5df81131008a3d65fa4a1e48c438b200efd138f2760
                                                                                    • Instruction ID: a0aa49f6a2b8762bce84bd7e6377ebd7c95d496e652b5a0216bb228b8af50946
                                                                                    • Opcode Fuzzy Hash: bddedb282a95cae5db3fc5df81131008a3d65fa4a1e48c438b200efd138f2760
                                                                                    • Instruction Fuzzy Hash: 69C04C717243029B9A10DA65D449A1AB7E89A45555B6C8918B449D2540DB30D4409611